[Snort-users] Some signatures not appearing in the log

Conma conma293 at ...11827...
Thu Apr 17 08:07:40 EDT 2014


I thought that if you set the 'security' policy setting in pulled pork it only downloads VRT but this does not seem to be the case...

Sorry to ask another question on your thread but I seem to only be getting alert descriptions for some (I think predom vrt) rules, while a lot just say the stupid snort rule 1:2464454 thing....

Any guidance on this? Assumed that was from the Sid-MSG.map which pulled pork updates anyways?

Sent from my iPad

> On 17/04/2014, at 7:55 pm, Anshuman Anil Deshmukh <anshuman at ...16510...> wrote:
> 
> Hi,
>  
> I was just referring to the latest signature Daily Ruleset update summary with my latest log for signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)". If I am not mistaken ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just enable or disable the rule depending upon which rule state is configured.
>  
> I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on Snort 2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all other signatures it doesn’t look an issue with snort version, right? This is my test setup and it is used for learning purpose.
>  
> See below log extract from sid_changes.log.
>  
> Thank you in advance.
>  
> -=Begin Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-
>  
> New Rules
>      ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088)
>      ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196)
>      ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197)
>      ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080)
>      ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082)
>      ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081)
>      ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083)
>      ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396)
>      ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (1:2018395)
>      ET TROJAN Common Upatre Header Structure (1:2018394)
>      ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397)
>      ET TROJAN plasmabot Checkin (1:2018393)
>  
> Deleted Rules
>      ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374)
>      ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375)
>      ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124)
>      ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125)
>      ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016)
>      ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017)
>  
> Set Policy: security
>  
> Rule Totals
>      New:-------12
>      Deleted:---6
>      Enabled:---6148
>      Dropped:---0
>      Disabled:--32295
>      Total:-----38443
>  
> IP Blacklist Stats
>      Total IPs:-----2590
>  
> -=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-
>  
>  
> Regards,
> Anshuman
>  
> -----Original Message-----
> From: emerging-updates-bounces at ...15591... [mailto:emerging-updates-bounces at ...15591...] On Behalf Of Francis Trudeau
> Sent: Thursday, April 17, 2014 4:28 AM
> To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List
> Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014
>  
> [***] Summary: [***]
>  
> 6 new Open signatures, 16 new Pro (6/10).  CryptoDefense, Nuclear EK, InstallBrain, Hupigon.
>  
> Thanks:  Nathan Fowler, tdzmont, @EKWatcher
>  
> [+++]          Added rules:          [+++]
>  
> Open:
>  
>   2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)
>   2018393 - ET TROJAN plasmabot Checkin (trojan.rules)
>   2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)
>   2018395 - ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)
>   2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert
> (current_events.rules)
>   2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)
>  
> Pro:
>  
>   2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)
>   2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)
>   2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)
>   2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)
>   2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)
>   2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin
> (trojan.rules)
>   2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)
>   2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin
> (mobile_malware.rules)
>   2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)
>   2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014
> (current_events.rules)
>  
>  
> [///]     Modified active rules:     [///]
>  
>   2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
> (trojan.rules)
>   2017714 - ET TROJAN PlugX Checkin (trojan.rules)
>   2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
>   2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)
>   2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response
> (current_events.rules)
>   2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2
> (current_events.rules)
>   2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)
>   2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)
>  
>  
> [---]         Removed rules:         [---]
>  
>   2003548 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin
> (malware.rules)
>   2008282 - ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules) _______________________________________________
> Emerging-updates mailing list
> Emerging-updates at ...15591...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>  
> 
> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140418/c8011ff0/attachment.html>


More information about the Snort-users mailing list