[Snort-sigs] Emerging Threats Weekly Signature Changes

emerging at ...3335... emerging at ...3335...
Sat Sep 6 18:00:08 EDT 2008


[***] Results from Oinkmaster started Sat Sep  6 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008530 - ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server (emerging.rules)
 2008531 - ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server (emerging.rules)
 2008532 - ET TROJAN Bifrose Connect to Controller (variant 2) (emerging-virus.rules)
 2008533 - ET POLICY Possible External Ultrasurf Anonymizer DNS Query (emerging-policy.rules)
 2008536 - ET SCAN Halberd Load Balanced Webserver Detection Scan (emerging-scan.rules)
 2008537 - ET SCAN Hmap Webserver Fingerprint Scan (emerging-scan.rules)
 2008538 - ET SCAN Sqlmap SQL Injection Scan (emerging-scan.rules)
 2008539 - ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound (emerging.rules)
 2008540 - ET TROJAN Hupigon.dkxh Checkin to CnC (emerging-virus.rules)
 2008541 - ET TROJAN Bravix Checkin (emerging-virus.rules)


[///]     Modified active rules:     [///]

 2003578 - ET MALWARE Baidu.com Spyware Bar Pulling Data (emerging-malware.rules)
 2003607 - ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting (emerging-malware.rules)
 2008375 - ET MALWARE Gooochi Related Spyware Ad pull (emerging-malware.rules)
 2008402 - ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin (emerging-malware.rules)
 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (emerging-drop.rules)
 2401000 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401001 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401002 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401003 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401004 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401005 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401006 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2401007 - ET DROP Spamhaus DROP Listed Traffic Inbound - BLOCKING SOURCE (emerging-drop-BLOCK.rules)
 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules)
 2403000 - ET DROP Dshield Block Listed Source - BLOCKING (emerging-dshield-BLOCK.rules)
 2404000 - ET DROP Known Bot C&C Server Traffic (group 1)  (emerging-botcc.rules)
 2404001 - ET DROP Known Bot C&C Server Traffic (group 2)  (emerging-botcc.rules)
 2404002 - ET DROP Known Bot C&C Server Traffic (group 3)  (emerging-botcc.rules)
 2404003 - ET DROP Known Bot C&C Server Traffic (group 4)  (emerging-botcc.rules)
 2404004 - ET DROP Known Bot C&C Server Traffic (group 5)  (emerging-botcc.rules)
 2404005 - ET DROP Known Bot C&C Server Traffic (group 6)  (emerging-botcc.rules)
 2404006 - ET DROP Known Bot C&C Server Traffic (group 7)  (emerging-botcc.rules)
 2404007 - ET DROP Known Bot C&C Server Traffic (group 8)  (emerging-botcc.rules)
 2404008 - ET DROP Known Bot C&C Server Traffic (group 9)  (emerging-botcc.rules)
 2404009 - ET DROP Known Bot C&C Server Traffic (group 10)  (emerging-botcc.rules)
 2404010 - ET DROP Known Bot C&C Server Traffic (group 11)  (emerging-botcc.rules)
 2404011 - ET DROP Known Bot C&C Server Traffic (group 12)  (emerging-botcc.rules)
 2404012 - ET DROP Known Bot C&C Server Traffic (group 13)  (emerging-botcc.rules)
 2404013 - ET DROP Known Bot C&C Server Traffic (group 14)  (emerging-botcc.rules)
 2404014 - ET DROP Known Bot C&C Server Traffic (group 15)  (emerging-botcc.rules)
 2404015 - ET DROP Known Bot C&C Server Traffic (group 16)  (emerging-botcc.rules)
 2404016 - ET DROP Known Bot C&C Server Traffic (group 17)  (emerging-botcc.rules)
 2404017 - ET DROP Known Bot C&C Server Traffic (group 18)  (emerging-botcc.rules)
 2404018 - ET DROP Known Bot C&C Server Traffic (group 19)  (emerging-botcc.rules)
 2404019 - ET DROP Known Bot C&C Server Traffic (group 20)  (emerging-botcc.rules)
 2404020 - ET DROP Known Bot C&C Server Traffic (group 21)  (emerging-botcc.rules)
 2405000 - ET DROP Known Bot C&C Traffic (group 1) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405001 - ET DROP Known Bot C&C Traffic (group 2) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405002 - ET DROP Known Bot C&C Traffic (group 3) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405003 - ET DROP Known Bot C&C Traffic (group 4) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405004 - ET DROP Known Bot C&C Traffic (group 5) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405005 - ET DROP Known Bot C&C Traffic (group 6) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405006 - ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405007 - ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405008 - ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405009 - ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405010 - ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405011 - ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405012 - ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405013 - ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405014 - ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405015 - ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405016 - ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405017 - ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405018 - ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405019 - ET DROP Known Bot C&C Traffic (group 20) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)
 2405020 - ET DROP Known Bot C&C Traffic (group 21) - BLOCKING SOURCE (emerging-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2008403 - ET MALWARE Realtimegaming.com/Windows Casino Online Gaming Checkin (emerging-malware.rules)
 2008486 - CURRENT_EVENTS Fake Airline E-ticket Email Inbound (emerging.rules)
 2008499 - ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) (emerging.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-drop-BLOCK.rules (2):
        #  VERSION 1288
        #  Generated 2008-09-06 00:03:02 EDT

     -> Added to emerging-drop.rules (2):
        #  VERSION 1288
        #  Generated 2008-09-06 00:03:02 EDT

     -> Added to emerging-policy.rules (2):
        # from Rodrigo Montoro(Sp0oKeR). This isn't a hostile app, but may be interesting to know who's using it
        # Rule by SERPRO-Recife Security Team

     -> Added to emerging-sid-msg.map (10):
        2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server
        2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server
        2008532 || ET TROJAN Bifrose Connect to Controller (variant 2)
        2008533 || ET POLICY Possible External Ultrasurf Anonymizer DNS Query
        2008536 || ET SCAN Halberd Load Balanced Webserver Detection Scan || url,www.halberd.superadditive.com
        2008537 || ET SCAN Hmap Webserver Fingerprint Scan || url,www.ujeni.murkyroc.com/hmap/
        2008538 || ET SCAN Sqlmap SQL Injection Scan || url,sqlmap.sourceforge.net
        2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail
        2008540 || ET TROJAN Hupigon.dkxh Checkin to CnC
        2008541 || ET TROJAN Bravix Checkin

     -> Added to emerging-sid-msg.map.txt (10):
        2008530 || ET CURRENT_EVENTS Danmec Infected machine Looking up CnC Server
        2008531 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server
        2008532 || ET TROJAN Bifrose Connect to Controller (variant 2)
        2008533 || ET POLICY Possible External Ultrasurf Anonymizer DNS Query
        2008536 || ET SCAN Halberd Load Balanced Webserver Detection Scan || url,www.halberd.superadditive.com
        2008537 || ET SCAN Hmap Webserver Fingerprint Scan || url,www.ujeni.murkyroc.com/hmap/
        2008538 || ET SCAN Sqlmap SQL Injection Scan || url,sqlmap.sourceforge.net
        2008539 || ET CURRENT_EVENTS Airmail Express Malware-Laden Email Inbound || url,www.news.portalit.net/fullnews_airmail-express-delivers-fresh-trojan_1506.html || url,www.sophos.com/blogs/gc/g/2008/09/01/email-with-the-subject-airmail
        2008540 || ET TROJAN Hupigon.dkxh Checkin to CnC
        2008541 || ET TROJAN Bravix Checkin

     -> Added to emerging-virus.rules (1):
        #by Jeffrey Brown,  re 33f56ffda981afa725d530be3d1e1cfb

     -> Added to emerging.rules (4):
        #by Veerendra GG
        # To be removed about sep 15 if the attacks have passed
        #by Jack Pepper. Should be removed in a week or so
        #by matt jonkman

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-drop-BLOCK.rules (2):
        #  VERSION 1281
        #  Generated 2008-08-30 00:03:02 EDT

     -> Removed from emerging-drop.rules (2):
        #  VERSION 1281
        #  Generated 2008-08-30 00:03:02 EDT

     -> Removed from emerging-sid-msg.map (3):
        2008403 || ET MALWARE Realtimegaming.com/Windows Casino Online Gaming Checkin
        2008486 || CURRENT_EVENTS Fake Airline E-ticket Email Inbound || url,www.sophos.com/security/blog/2008/07/1604.html || url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack
        2008499 || ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) || url,info.prevx.com/aboutprogramtext.asp?PX5=8F3D24A4003F66983457019EED05CB00A97B99D5

     -> Removed from emerging-sid-msg.map.txt (3):
        2008403 || ET MALWARE Realtimegaming.com/Windows Casino Online Gaming Checkin
        2008486 || CURRENT_EVENTS Fake Airline E-ticket Email Inbound || url,www.sophos.com/security/blog/2008/07/1604.html || url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack
        2008499 || ET CURRENT_EVENTS Fake CNN alert Malware download (adobe_flash.exe) || url,info.prevx.com/aboutprogramtext.asp?PX5=8F3D24A4003F66983457019EED05CB00A97B99D5

     -> Removed from emerging.rules (3):
        #by Will Metcalf, regarding the fake CNN alerts out there
        #by Chandan at secpod.com
        # 01/08/2008 E-Ticket





More information about the Snort-sigs mailing list