[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-updates
Subject:    Re: [Emerging-updates] [Etpro-sigs] Daily Ruleset Update Summary 11/01/2013
From:       Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date:       2013-11-01 19:48:05
Message-ID: 1F98A410-E722-4F60-902F-1A6223636163 () emergingthreatspro ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Seems like a rather arbitrary limitation. Any ideas/reason for this Joel?

Regards,

Will

> On Nov 1, 2013, at 1:50 PM, "Williams, Andrew N." <ANDREW.N.WILLIAMS@leidos.com> \
> wrote: 
> Sourcefire 3D does it again!
> 
> Looks like sids 2804603 and 2806941 were commented out but still tripped up SEU \
> import because the dest port field was greater than 64 characters! 
> Import worked fine after they were completely removed from rule file.
> 
> v/r,
> 
> Andy Williams, CISSP
> Network Security Engineer
> Cybersecurity Business Unit
> Phone 832-629-6821
> andrew.n.williams@leidos.com
> 
> From: etpro-sigs-bounces@lists.emergingthreats.net \
>                 [mailto:etpro-sigs-bounces@lists.emergingthreats.net] On Behalf Of \
>                 Will Metcalf
> Sent: Friday, November 01, 2013 12:58 PM
> To: Emerging Sigs; Emerging Threats Updates; ETPro-sigs List
> Subject: [Etpro-sigs] Daily Ruleset Update Summary 11/01/2013
> 
> [***]          Summary:          [***]
> 
> 5 new Open rules. 10 new Pro rules (5/5). Neutrino,W32/Badur.Spy, etc. Thanks to \
> @EKwatcher,@Set_Abominae,Kevin Ross, etc. all. 
> [+++]          Added rules:          [+++]
> 
> Open:
> 2017652 - ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013 \
> (current_events.rules) 2017653 - ET CURRENT_EVENTS Possible Neutrino Java \
> Exploit/Payload Download Nov 1 2013 (current_events.rules) 2017654 - ET TROJAN \
> W32/Badur.Spy User Agent HWMPro (trojan.rules) 2017655 - ET TROJAN W32/Badur.Spy \
> User Agent lawl (trojan.rules) 2017656 - ET TROJAN W32/InstallMonster.Downloader \
> Checkin (trojan.rules) 
> Pro:
> 2803509 - ETPRO TROJAN Win32/Dogrobot.D Checkin (trojan.rules)
> 2807166 - ETPRO EXPLOIT EMC Replication Manager Command Execution (exploit.rules)
> 2807167 - ETPRO POLICY Baidu Spider Crawler User-Agent (baiduspider) (policy.rules)
> 2807168 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 3 (trojan.rules)
> 2807169 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 2 (trojan.rules)
> 
> [---]  Disabled and modified rules:  [---]
> 
> 2016551 - ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar \
> (current_events.rules) 2016975 - ET CURRENT_EVENTS Neutrino EK Landing URI Format \
> (current_events.rules) 2017104 - ET CURRENT_EVENTS Neutrino EK Landing URI Format \
> July 04 2013 (current_events.rules) 2017179 - ET CURRENT_EVENTS Possible Neutrino \
> Java Payload Download (current_events.rules) 2017180 - ET CURRENT_EVENTS Possible \
> Neutrino Java Payload Download 2 (current_events.rules) 2017266 - ET CURRENT_EVENTS \
> Neutrino EK Landing URI Format Sep 30 2013 (current_events.rules) 2017267 - ET \
> CURRENT_EVENTS Possible Neutrino Java Exploit Download Sep 30 2013 \
> (current_events.rules) 2017268 - ET CURRENT_EVENTS Possible Neutrino Java Payload \
> Download Sep 30 2013 (current_events.rules) 2017491 - ET CURRENT_EVENTS Neutrino EK \
> Landing URI Format Sep 19 2013 (current_events.rules) 2017492 - ET CURRENT_EVENTS \
> Possible Neutrino EK Java Exploit Download Sep 19 2013 (current_events.rules) \
> 2017493 - ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Sep 19 2013 \
> (current_events.rules)


[Attachment #5 (text/html)]

<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Seems like a rather arbitrary limitation. \
Any ideas/reason for this \
Joel?<br><br>Regards,</div><div><br></div><div>Will</div><div><br>On Nov 1, 2013, at \
1:50 PM, "Williams, Andrew N." &lt;<a \
href="mailto:ANDREW.N.WILLIAMS@leidos.com">ANDREW.N.WILLIAMS@leidos.com</a>&gt; \
wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" \
content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word \
14 (filtered medium)"><style><!-- /* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Sourcefire \
3D does it again!<o:p></o:p></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Looks \
like sids 2804603 and 2806941 were commented out but still tripped up SEU import \
because the dest port field was greater than 64 characters!<o:p></o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Import \
worked fine after they were completely removed from rule \
file.<o:p></o:p></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">v/r,<o:p></o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Andy \
Williams, CISSP<o:p></o:p></span></p><p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Network \
Security Engineer<o:p></o:p></span></p><p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Cybersecurity \
Business Unit<o:p></o:p></span></p><p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Phone \
832-629-6821<o:p></o:p></span></p><p class="MsoNormal"><span \
style="font-size:10.5pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><a \
href="mailto:andrew.n.williams@leidos.com"><span \
style="color:blue">andrew.n.williams@leidos.com</span></a></span><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p \
class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> <a \
href="mailto:etpro-sigs-bounces@lists.emergingthreats.net">etpro-sigs-bounces@lists.emergingthreats.net</a> \
[<a href="mailto:etpro-sigs-bounces@lists.emergingthreats.net">mailto:etpro-sigs-bounces@lists.emergingthreats.net</a>] \
<b>On Behalf Of </b>Will Metcalf<br><b>Sent:</b> Friday, November 01, 2013 12:58 \
PM<br><b>To:</b> Emerging Sigs; Emerging Threats Updates; ETPro-sigs \
List<br><b>Subject:</b> [Etpro-sigs] Daily Ruleset Update Summary \
11/01/2013<o:p></o:p></span></p><p class="MsoNormal"><o:p>&nbsp;</o:p></p><div><p \
class="MsoNormal">&nbsp;[***] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; \
&nbsp; &nbsp; &nbsp; &nbsp;[***]<o:p></o:p></p><div><p \
class="MsoNormal"><o:p>&nbsp;</o:p></p></div><div><p class="MsoNormal">5 new Open \
rules. 10 new Pro rules (5/5). Neutrino,W32/Badur.Spy, etc. Thanks to \
@EKwatcher,@Set_Abominae,Kevin Ross, etc. all.<o:p></o:p></p></div><div><p \
class="MsoNormal"><o:p>&nbsp;</o:p></p></div><div><p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">&nbsp;[+++] \
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; \
&nbsp;[+++]<br></span><br>&nbsp; Open:<span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><br>&nbsp; \
2017652 - ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format&nbsp;Nov 1 \
2013&nbsp;(current_events.rules)<br>&nbsp; 2017653 - ET CURRENT_EVENTS Possible \
Neutrino Java Exploit/Payload Download&nbsp;Nov 1 \
2013&nbsp;(current_events.rules)<br>&nbsp; 2017654 - ET TROJAN W32/Badur.Spy User \
Agent HWMPro (trojan.rules)<br>&nbsp; 2017655 - ET TROJAN W32/Badur.Spy User Agent \
lawl (trojan.rules)<br>&nbsp; 2017656 - ET TROJAN W32/InstallMonster.Downloader \
Checkin (trojan.rules)</span><o:p></o:p></p></div><div><p \
class="MsoNormal"><o:p>&nbsp;</o:p></p></div><div><p class="MsoNormal">&nbsp; \
Pro:<span style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><br>&nbsp; \
2803509 - ETPRO TROJAN Win32/Dogrobot.D Checkin (trojan.rules)<br>&nbsp; 2807166 - \
ETPRO EXPLOIT EMC Replication Manager Command Execution (exploit.rules)<br>&nbsp; \
2807167 - ETPRO POLICY Baidu Spider Crawler User-Agent (baiduspider) \
(policy.rules)<br>&nbsp; 2807168 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 3 \
(trojan.rules)<br>&nbsp; 2807169 - ETPRO TROJAN Win32/SystemHijack.gen Checkin 2 \
(trojan.rules)</span><br><span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><br>&nbsp;[---] \
&nbsp;Disabled and modified rules: &nbsp;[---]<br><br>&nbsp; 2016551 - ET \
CURRENT_EVENTS Possible Neutrino EK Downloading Jar (current_events.rules)<br>&nbsp; \
2016975 - ET CURRENT_EVENTS Neutrino EK Landing URI Format \
(current_events.rules)<br>&nbsp; 2017104 - ET CURRENT_EVENTS Neutrino EK Landing URI \
Format July 04 2013 (current_events.rules)<br>&nbsp; 2017179 - ET CURRENT_EVENTS \
Possible Neutrino Java Payload Download (current_events.rules)<br>&nbsp; 2017180 - ET \
CURRENT_EVENTS Possible Neutrino Java Payload Download 2 \
(current_events.rules)<br>&nbsp; 2017266 - ET CURRENT_EVENTS Neutrino EK Landing URI \
Format Sep 30 2013 (current_events.rules)<br>&nbsp; 2017267 - ET CURRENT_EVENTS \
Possible Neutrino Java Exploit Download Sep 30 2013 (current_events.rules)<br>&nbsp; \
2017268 - ET CURRENT_EVENTS Possible Neutrino Java Payload Download Sep 30 2013 \
(current_events.rules)<br>&nbsp; 2017491 - ET CURRENT_EVENTS Neutrino EK Landing URI \
Format Sep 19 2013 (current_events.rules)<br>&nbsp; 2017492 - ET CURRENT_EVENTS \
Possible Neutrino EK Java Exploit Download Sep 19 2013 \
(current_events.rules)<br>&nbsp; 2017493 - ET CURRENT_EVENTS Possible Neutrino EK \
Java Payload Download Sep 19 2013 \
(current_events.rules)</span><o:p></o:p></p></div></div></div></div></blockquote></body></html>




_______________________________________________
Emerging-updates mailing list
Emerging-updates@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-updates


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic