Monthly Archives: August 2011

31 08, 2011

>Daily Ruleset Update 8/31/2011

By |August 31st, 2011|Categories: Daily Ruleset Update Summary||0 Comments

>

3 open and 8 Pro rules today, enjoy!!

[+++]          Added rules:          [+++]

 2013502 – ET TROJAN Win32/Wizpop Checkin (trojan.rules)
 2013503 – ET POLICY OS X Software Update Request Outbound (policy.rules)
 2013504 – ET POLICY Ubuntu apt-get User-Agent Outbound (policy.rules)
 2803550 – ETPRO TROJAN Suspicious User-Agent (HTop/) (trojan.rules)
 2803551 – ETPRO TROJAN Trojan.Generic.5475169 Checkin (trojan.rules)
 2803552 – ETPRO TROJAN Trojan-Clicker.Win32.NSIS.bb Install (trojan.rules)
 2803553 – ETPRO TROJAN Win32/Expiro Checkin (trojan.rules)
 2803554 – ETPRO TROJAN Unknown Skplus Related Dropper Checkin (trojan.rules)
 2803555 – ETPRO TROJAN Trojan.Win32.Scar.dhnx Checkin off-ports (trojan.rules)
 2803556 – ETPRO TROJAN Trojan.Win32.Scar.dhnx Checkin (trojan.rules)
 2803557 – ETPRO TROJAN Win32.Palevo.cioz Checkin (trojan.rules)


[///]     Modified active rules:     [///]

 2013138 – ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity (mobile_malware.rules)
 2013403 – ET TROJAN Suspicious User-Agent (TheWorld) (trojan.rules)


[---]         Removed rules:         [---]

 2011534 – ET WEB_CLIENT PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt (web_client.rules)

30 08, 2011

>Daily Update Summary 8/30/2011

By |August 30th, 2011|Categories: Daily Ruleset Update Summary||0 Comments

>16 new Open rules today. 12 new Pro sigs, mostly malware.

Watch the SSL Sigs from Sam Apperson for the known bad Google certs. Panic if you see that!
Also a CI Army update.
Enjoy!
[+++]          Added rules:          [+++]

 2013486 – ET CURRENT_EVENTS Phoenix landing page JAVASMB (current_events.rules)
 2013487 – ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .jar from octal host (current_events.rules)
 2013488 – ET TROJAN Zeus Bot GET to Bing checking Internet connectivity (trojan.rules)
 2013489 – ET TROJAN Best Pack Exploit Pack Binary Load Request (trojan.rules)
 2013490 – ET POLICY NetBIOS nbtstat Type Query Outbound (policy.rules)
 2013491 – ET POLICY NetBIOS nbtstat Type Query Inbound (policy.rules)
 2013492 – ET SCAN McAfee/Foundstone Scanner Web Scan (scan.rules)
 2013493 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.co.be (current_events.rules)
 2013494 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.co.cc (current_events.rules)
 2013495 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jifr.info (current_events.rules)
 2013496 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jifr.co.be (current_events.rules)
 2013497 – ET TROJAN MS Terminal Server User A Login, possible Morto inbound (trojan.rules)
 2013498 – ET POLICY Netflix Streaming Player Access (policy.rules)
 2013499 – ET POLICY IncrediMail Install Callback (policy.rules)
 2013500 – ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com 1 (current_events.rules)
 2013501 – ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com 2 (current_events.rules)

And the Pro rules:
 2803538 – ETPRO TROJAN Generic.4803182 Checkin (trojan.rules)
 2803539 – ETPRO TROJAN Win32/Dumaru@mm Checkin (trojan.rules)
 2803540 – ETPRO TROJAN Suspicious User-Agent (hopeisnull) (trojan.rules)
 2803541 – ETPRO TROJAN Virus.Downloader.Rozena Checkin (trojan.rules)
 2803542 – ETPRO TROJAN Win32/Hupigon.DZ (trojan.rules)
 2803543 – ETPRO TROJAN Generic.5258925 Checkin (trojan.rules)
 2803544 – ETPRO MALWARE Adware Bargainbuddy.BD Checkin (malware.rules)
 2803545 – ETPRO TROJAN Suspicious User-Agent (SqUeEzEr) (trojan.rules)
 2803546 – ETPRO TROJAN Trojan.Win32.Fucobha.A Checkin 1 (trojan.rules)
 2803547 – ETPRO TROJAN Trojan.Win32.Fucobha.A Checkin 2 (trojan.rules)
 2803548 – ETPRO TROJAN Win32/Bedobot.A Checkin (trojan.rules)
 2803549 – ETPRO TROJAN RBN-based Trojan 2nd Stage Loader User-Agent (trojan.rules)

[+++]         Enabled rules:         [+++]

 2001984 – ET POLICY SSH session in progress on Unusual Port (policy.rules)

[///]     Modified active rules:     [///]

 2011588 – ET TROJAN Zeus Bot Request to CnC (trojan.rules)

 2803509 – ETPRO TROJAN Win32/Dogrobot.D Checkin (trojan.rules)
29 08, 2011

>Daily Update Summary 8/29/2011

By |August 29th, 2011|Categories: Daily Ruleset Update Summary||0 Comments

>

We’ve whipped out the malware bat again today, 7 new open rules, and 27 new Pro rules. 16 of those pro rules are malware. We love this stuff! Also an RBN ruleset update today, several nets removed.
A note on the changes to Snort 2.9.1 and file_data: The way we’ve used file_data in the Open and Pro rulesets is not affected. We’ve always used it as a way to set the cursor and then have relative options to work with from there. We have not used it in any smtp signatures, so no issues there. 
Suricata uses file_data this way as well, sets the cursor to the start of the http payload after the headers (essentially after |0d 0a d0 0a|). 
So you are just fine using our most current rulesets with 2.9.1. Suricata has it’s own ruleset of course with significantly different coverage in the same rules. 
We will do more in depth testing and get 2.9.1 into our QA cycle, but for now no worries!


[+++]          Added rules:          [+++]

 2013479 – ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (scan.rules)
 2013480 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.net (current_events.rules)
 2013481 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jaifr.com (current_events.rules)
 2013482 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jaifr.net (current_events.rules)
 2013483 – ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jifr.co.cc (current_events.rules)
 2013484 – ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client (current_events.rules)

And the Pro rules:
 2013485 – ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received (current_events.rules)
 2803515 – ETPRO TROJAN Suspicious User-Agent (DarkShell) (trojan.rules)
 2803516 – ETPRO TROJAN Suspicious User-Agent (HTTP_FILEDOWN) (trojan.rules)
 2803517 – ETPRO TROJAN Suspicious User-Agent (d3spr3z0) (trojan.rules)
 2803518 – ETPRO TROJAN Backdoor.Win32.WootBot.A IRC LOGIN (trojan.rules)
 2803519 – ETPRO TROJAN Backdoor.Win32.WootBot.A Joining IRC Channel (trojan.rules)
 2803520 – ETPRO TROJAN Backdoor.Win32.Xtrat.A Checkin 1 (trojan.rules)
 2803521 – ETPRO TROJAN Backdoor.Win32.Xtrat.A Checkin 2 (trojan.rules)
 2803522 – ETPRO TROJAN Win32.Rorpian Checkin (trojan.rules)
 2803523 – ETPRO ACTIVEX F-Secure Multiple Products fsresh.dll ActiveX Stack Buffer Overflow (activex.rules)
 2803524 – ETPRO TROJAN Trojan-PSW.BAT.Labt.c sending info via SMTP (trojan.rules)
 2803525 – ETPRO TROJAN Backdoor.Win32.Derusbi.A Checkin (trojan.rules)
 2803526 – ETPRO TROJAN Trojan-Downloader.Win32.Yakes.cbi Checkin (trojan.rules)
 2803527 – ETPRO TROJAN Backdoor.Win32.Yunsip.A Checkin 1 (trojan.rules)
 2803528 – ETPRO TROJAN Backdoor.Win32.Yunsip.A Checkin off-ports (trojan.rules)
 2803529 – ETPRO WEB_CLIENT Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading – Set (web_client.rules)
 2803530 – ETPRO WEB_CLIENT Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading (web_client.rules)
 2803531 – ETPRO NETBIOS Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading – SMB ASCII (netbios.rules)
 2803532 – ETPRO NETBIOS Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading – SMB Unicode (netbios.rules)
 2803533 – ETPRO NETBIOS Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading – SMB-DS ASCII (netbios.rules)
 2803534 – ETPRO NETBIOS Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading – SMB-DS Unicode (netbios.rules)
 2803535 – ETPRO TROJAN Suspicious User-Agent (hkMozil) (trojan.rules)
 2803536 – ETPRO TROJAN Suspicious User-Agent (IS Download DLL) (trojan.rules)
 2803537 – ETPRO TROJAN Backdoor.DsBot.dov/Win32.Morto.A Checkin (trojan.rules)

[///]     Modified active rules:     [///]

 2007616 – ET USER_AGENTS klm123.com Spyware User Agent (user_agents.rules)
 2011489 – ET TROJAN Meredrop/Nusump Checkin (trojan.rules)
 2012609 – ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host (current_events.rules)
 2013094 – ET CURRENT_EVENTS Phoenix URI Requested Contains /?[0-9a-f]{60,66} (current_events.rules)
 2013313 – ET TROJAN Obfuscated Javascript Often Used in Drivebys 3 (trojan.rules)
 2013314 – ET TROJAN Phoenix Landing Page Obfuscated Javascript 2 (trojan.rules)
 2013477 – ET POLICY SUSPICIOUS *.doc.exe in HTTP HEADER (policy.rules)
 2013478 – ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER (policy.rules)

 2803156 – ETPRO TROJAN Ocibit.A/FakeAlert Checkin 2nd stage (trojan.rules)
25 08, 2011

>Daily Update Summary 8/25/2011

By |August 25th, 2011|Categories: Daily Ruleset Update Summary||0 Comments

>

4 open rules today, 12 new Pro rules. Enjoy!!


[+++]          Added rules:          [+++]

 2013458 – ET POLICY Facebook Like Button Clicked (1) (policy.rules)
 2013459 – ET POLICY Facebook Like Button Clicked (2) (policy.rules)
 2013460 – ET CURRENT_EVENTS HTTP Request to a Suspicious *.c0m.li domain (current_events.rules)
 2013461 – ET TROJAN Win32/Wizpop Initial Checkin (trojan.rules)

And the Pro rules:
 2803499 – ETPRO TROJAN Known Banload User-Agent (PR3) (trojan.rules)
 2803502 – ETPRO TROJAN Virus.Win32.Sality.k Checkin (trojan.rules)
 2803503 – ETPRO DOS Apache httpd Ranges Header Field Memory Exhaustion (dos.rules)
 2803504 – ETPRO TROJAN Backdoor.Win32.Agobot.ast Checkin 1 (trojan.rules)
 2803505 – ETPRO TROJAN Backdoor.Win32.Agobot.ast Checkin 2 (trojan.rules)
 2803506 – ETPRO MALWARE Arcadeweb LLC User-Agent awi v2. (malware.rules)
 2803507 – ETPRO TROJAN Common Downloader Header Pattern UH at high ports (trojan.rules)
 2803508 – ETPRO TROJAN Suspicious User-Agent opera/8.11 (trojan.rules)
 2803509 – ETPRO TROJAN Win32/Dogrobot.D Checkin (trojan.rules)
 2803510 – ETPRO TROJAN Win32/Bumat!rts Checkin (trojan.rules)
 2803511 – ETPRO TROJAN Suspicious user agent(MakeByLc) (trojan.rules)
 2803512 – ETPRO TROJAN Win32/Agent.QU Checkin (trojan.rules)

[///]     Modified active rules:     [///]

 2008523 – ET TROJAN Generic Trojan Checkin likely Variant.TDss.33 (trojan.rules)
 2013414 – ET POLICY Executable served from Amazon S3 (policy.rules)
 2402000 – ET DROP Dshield Block Listed Source (dshield.rules)
 2803305 – ETPRO TROJAN Common Downloader Header Pattern H (trojan.rules)
 2803488 – ETPRO TROJAN Suspicious User-Agent (anynameforit) (trojan.rules)
 2803490 – ETPRO TROJAN Suspicious User-Agent (DOGX) (trojan.rules)
 2803491 – ETPRO TROJAN Suspicious HTTP STOP Return – Trojan.Win32.FakeAV.cfty or Related Controller (trojan.rules)
 2803492 – ETPRO TROJAN Win32.Lamer.D checkin (trojan.rules)
 2803500 – ETPRO TROJAN Trojan-Dropper.Win32.Mudrop.asj Checkin (trojan.rules)

[---]         Removed rules:         [---]

 2803330 – ETPRO TROJAN Generic.6155037 Checkin (trojan.rules)

24 08, 2011

>Daily Update Summary 8/24/2011

By |August 24th, 2011|Categories: Daily Ruleset Update Summary||0 Comments

>

3 new Open sigs today, 12 new Pro sigs. 
We’ve added another HTTP Header sig as well. These are proving in practice as effective as in testing! Feedback welcome of course.


[+++]          Added rules:          [+++]

 2013455 – ET TROJAN Suspicious User-Agent (GUIDTracker) (trojan.rules)
 2013456 – ET TROJAN Win32/VB.HV Checkin (trojan.rules)
 2013457 – ET POLICY BitCoin User-Agent Likely Bitcoin Miner (policy.rules)

And the Pro rules:
 2803490 – ETPRO TROJAN Suspicious User-Agent (DOGX) (trojan.rules)
 2803491 – ETPRO TROJAN Suspicious HTTP STOP Return – Trojan.Win32.FakeAV.cfty or Related Controller (trojan.rules)
 2803492 – ETPRO TROJAN Win32.Lamer.D checkin (trojan.rules)
 2803493 – ETPRO TROJAN Infostealer.Lemir User-Agent (nowaysave) (trojan.rules)
 2803494 – ETPRO POLICY Common Downloader POST Header Pattern POST ACtHUCo data= (policy.rules)
 2803495 – ETPRO TROJAN Win32.Lexip Checkin (trojan.rules)
 2803496 – ETPRO DOS ISC DHCP Server Packet Processing Denial of Service (dos.rules)
 2803497 – ETPRO TROJAN Win32/Trafog.A Guaguadance Checkin (trojan.rules)
 2803498 – ETPRO MALWARE Adware Funshion.com Install Report (malware.rules)
 2803499 – ETPRO USER_AGENTS Known Banload User-Agent (PR3) (user_agents.rules)
 2803500 – ETPRO TROJAN Trojan-Dropper.Win32.Mudrop.asj Checkin (trojan.rules)
 2803501 – ETPRO TROJAN Trojan.Win32.Swisyn.pqr Checkin (trojan.rules)

[///]     Modified active rules:     [///]

Removed the negation for MS related properties. We’re seeing several trojans use MS for connectivity checks. Please report false if any!
 2002400 – ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) (user_agents.rules)
Mostly performance tweaks below:
 2002402 – ET USER_AGENTS Suspicious Spyware Related User Agent (UtilMind HTTPGet) (user_agents.rules)
 2012401 – ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download Secondary Request (current_events.rules)
 2012642 – ET USER_AGENTS Lowercase mozilla/2.0 User-Agent Likely Malware (user_agents.rules)
 2012884 – ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param (current_events.rules)
 2013403 – ET TROJAN Suspicious User-Agent (TheWorld) (trojan.rules)