'[Snort-sigs] Emerging Threats Weekly Signature Changes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Emerging Threats Weekly Signature Changes
From:       emerging () emergingthreats ! net
Date:       2008-06-21 22:00:08
Message-ID: 20080621220008.BD31C4513E () goliath ! jonkmans ! com
[Download RAW message or body]


[***] Results from Oinkmaster started Sat Jun 21 18:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2008283 - ET TROJAN Banload HTTP Checkin Detected (quem=) (emerging-virus.rules)
 2008284 - ET POLICY Inbound HTTP CONNECT Attempt on Off Port (emerging-policy.rules)
 2008285 - ET TROJAN RLPacked Binary - Likely Hostile (emerging-virus.rules)
 2008286 - ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server \
(emerging.rules)  2008288 - ET CURRENT_EVENTS Storm Worm URL Request (video.exe) \
(emerging.rules)  2008289 - ET POLICY Possible MSN Messenger File Transfer \
(emerging-policy.rules)


[///]     Modified active rules:     [///]

 2002029 - ET TROJAN BOT - channel topic scan/exploit command (emerging-virus.rules)
 2002030 - ET TROJAN BOT - potential scan/exploit command (emerging-virus.rules)
 2008077 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe) \
(emerging.rules)  2008235 - ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) \
(emerging.rules)


[---]         Removed rules:         [---]

 2000547 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2000548 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2000549 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2000550 - ET HTTP CONNECT Tunnel (emerging-policy.rules)
 2003264 - ET MALWARE HTTP Connect Request Inbound (Windows Source) \
(emerging-malware.rules)  2003265 - ET MALWARE HTTP Connect Request Inbound (Linux \
Source) (emerging-malware.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-policy.rules (1):
        #by Sp0oker

     -> Added to emerging-sid-msg.map (8):
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe) || \
                url,www.sudosecure.net/archives/119
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || \
url,www.sudosecure.net/archives/119  2008283 || ET TROJAN Banload HTTP Checkin \
Detected (quem=)  2008284 || ET POLICY Inbound HTTP CONNECT Attempt on Off Port
        2008285 || ET TROJAN RLPacked Binary - Likely Hostile || \
                url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/ || \
                url,rlpack.jezgra.net
        2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC \
Server  2008288 || ET CURRENT_EVENTS Storm Worm URL Request (video.exe)
        2008289 || ET POLICY Possible MSN Messenger File Transfer || \
url,www.hypothetic.org/docs/msn/client/file_transfer.php

     -> Added to emerging-sid-msg.map.txt (8):
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (beijing.exe) || \
                url,www.sudosecure.net/archives/119
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof) || \
url,www.sudosecure.net/archives/119  2008283 || ET TROJAN Banload HTTP Checkin \
Detected (quem=)  2008284 || ET POLICY Inbound HTTP CONNECT Attempt on Off Port
        2008285 || ET TROJAN RLPacked Binary - Likely Hostile || \
                url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/ || \
                url,rlpack.jezgra.net
        2008286 || ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC \
Server  2008288 || ET CURRENT_EVENTS Storm Worm URL Request (video.exe)
        2008289 || ET POLICY Possible MSN Messenger File Transfer || \
url,www.hypothetic.org/docs/msn/client/file_transfer.php

     -> Added to emerging-virus.rules (1):
        #by Daniel Clemens

     -> Added to emerging.rules (2):
        #by Daniel Clemens
        #Jack Pepper

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-policy.rules (1):
        #Submitted by Brandon Barnes

     -> Removed from emerging-sid-msg.map (8):
        2000547 || ET HTTP CONNECT Tunnel
        2000548 || ET HTTP CONNECT Tunnel
        2000549 || ET HTTP CONNECT Tunnel
        2000550 || ET HTTP CONNECT Tunnel
        2003264 || ET MALWARE HTTP Connect Request Inbound (Windows Source) || \
url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || \
url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || \
url,ss5.sourceforge.net/socks4A.protocol.txt || \
url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || \
url,handlers.sans.org/wsalusky/rants/  2003265 || ET MALWARE HTTP Connect Request \
Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || \
url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || \
url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || \
url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || \
                url,handlers.sans.org/wsalusky/rants/
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) || \
                url,www.sudosecure.net/archives/61
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) \
|| url,www.sudosecure.net/archives/61

     -> Removed from emerging-sid-msg.map.txt (8):
        2000547 || ET HTTP CONNECT Tunnel
        2000548 || ET HTTP CONNECT Tunnel
        2000549 || ET HTTP CONNECT Tunnel
        2000550 || ET HTTP CONNECT Tunnel
        2003264 || ET MALWARE HTTP Connect Request Inbound (Windows Source) || \
url,www.ietf.org/rfc/rfc3089.txt || url,www.ietf.org/rfc/rfc1961.txt || \
url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1928.txt || \
url,ss5.sourceforge.net/socks4A.protocol.txt || \
url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || \
url,handlers.sans.org/wsalusky/rants/  2003265 || ET MALWARE HTTP Connect Request \
Inbound (Linux Source) || url,www.ietf.org/rfc/rfc3089.txt || \
url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc1929.txt || \
url,www.ietf.org/rfc/rfc1928.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || \
url,ss5.sourceforge.net/socks4.protocol.txt || url,en.wikipedia.org/wiki/SOCKS || \
                url,handlers.sans.org/wsalusky/rants/
        2008077 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (loveyou.exe) || \
                url,www.sudosecure.net/archives/61
        2008235 || ET CURRENT_EVENTS Possible Storm Worm EXE Request (iloveyou.exe) \
|| url,www.sudosecure.net/archives/61

     -> Removed from emerging.rules (1):
        #by matt jonkman


-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic