Dewhirst, Rob | 23 Apr 15:47 2014
Picon

2018382 and 2018382 port lists

Can I suggest we condense this port list so it doesn't run afoul of
the sourcefire 64 character port limit?

Is it a big deal to change 992,993,994,995 to 992-995?

Or split the sigs up by services like mail, directories and file transfer?
Francis Trudeau | 23 Apr 00:47 2014
Picon

Daily Ruleset Update Summary 04/22/2014

 [***] Summary: [***]

 5 new open signatures, 11 new Pro (5+6).  Fiesta, Destrukor, Swisyn.dcit.

 Thanks:  Nathan Fowler.

 [+++]          Added rules:          [+++]

 Open:

  2018407 - ET CURRENT_EVENTS Fiesta URI Struct (current_events.rules)
  2018408 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (current_events.rules)
  2018409 - ET CURRENT_EVENTS Fiesta SilverLight Exploit Download
(current_events.rules)
  2018410 - ET CURRENT_EVENTS Fiesta Flash Exploit Download
(current_events.rules)
  2018411 - ET CURRENT_EVENTS Fiesta Flash Exploit Download
(current_events.rules)

 Pro:

  2807973 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.eemn Checkin (trojan.rules)
  2807974 - ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
  2807975 - ETPRO TROJAN Trojan.DownLoader9.54232 Checkin (trojan.rules)
  2807976 - ETPRO TROJAN Trojan.Win32.Swisyn.dcit Checkin (trojan.rules)
  2807977 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin 2 (trojan.rules)
  2807978 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin via SMTP
(trojan.rules)

 [///]     Modified active rules:     [///]
(Continue reading)

Kevin Ross | 22 Apr 23:03 2014

SIG: ET TROJAN W32/Tepfer.InfoStealer CnC Beacon

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; classtype:trojan-activity; reference:md5,6e715fe727f927bc76e923d2e524d1e3; sid:1392991; rev:1;)

Regards,
Kevin
<div><div dir="ltr">
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; classtype:trojan-activity; reference:md5,6e715fe727f927bc76e923d2e524d1e3; sid:1392991; rev:1;)<br><br>
</div>Regards,<br>Kevin <br>
</div></div>
Jesse Norell | 22 Apr 20:21 2014
Picon

file identify rules needing noalert

I'm new to snort rules here, so I may be off, but these two rules appear
that they should only identify publisher file types, and hence should
have flowbits:noalert set.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected";
flow:to_client,established; file_data; content:"CHNKINK ";
flowbits:set,file.pub; metadata:service ftp-data, service http, service
imap, service pop3; reference:cve,2006-0001;
reference:url,en.wikipedia.org/wiki/Microsoft_publisher;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054;
classtype:misc-activity; sid:8478; rev:15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY
Microsoft Office Publisher file magic detected";
flow:to_server,established; file_data; content:"CHNKINK ";
flowbits:set,file.pub; metadata:service smtp; reference:cve,2006-0001;
reference:url,en.wikipedia.org/wiki/Microsoft_publisher;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054;
classtype:misc-activity; sid:23714; rev:3;)

-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net
Attachment (smime.p7s): application/x-pkcs7-signature, 7714 bytes
I'm new to snort rules here, so I may be off, but these two rules appear
that they should only identify publisher file types, and hence should
have flowbits:noalert set.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-IDENTIFY Microsoft Office Publisher file magic detected";
flow:to_client,established; file_data; content:"CHNKINK ";
flowbits:set,file.pub; metadata:service ftp-data, service http, service
imap, service pop3; reference:cve,2006-0001;
reference:url,en.wikipedia.org/wiki/Microsoft_publisher;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054;
classtype:misc-activity; sid:8478; rev:15;)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY
Microsoft Office Publisher file magic detected";
flow:to_server,established; file_data; content:"CHNKINK ";
flowbits:set,file.pub; metadata:service smtp; reference:cve,2006-0001;
reference:url,en.wikipedia.org/wiki/Microsoft_publisher;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-054;
classtype:misc-activity; sid:23714; rev:3;)

--

-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net
Jesse Norell | 22 Apr 18:03 2014
Picon

DNS Reply sinkhole rules

Hello,

  I had a bad setup/scenario that caused all the gtld-servers to get
blocked from matches on a DNS Reply rule for a sinkhole server address,
and wanted to see if there may be some improvement to be found in those
rules or their categorization.  Also please mention any recommendations
in network architecture/scanner location that seem obvious.

  I'm running snort on a firewall (pfsense) that protects some servers,
including customer DNS servers, and also serves some clients (vpn and
nat).  HOME_NET covers all our network blocks (clients and servers).

  The scenario we had was a client making a DNS request to our DNS
server for a sinkholed domain.  Our server recursed the DNS lookup and
got a DNS reply from the various *.gtld-servers.net which included the
sinkhole IP address, and shortly all the gtld-servers became blocked.

  The particular rule hit was:

                alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET
                TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24";
                content:"|00 01 00 01|"; content:"|00 04 c7 02 89|";
                distance:4; within:5; classtype:trojan-activity;
                sid:2016102; rev:2;)

There appear to be several such rules in ET TROJAN and I found a few in
ET DNS categories.

  A quick-fix is to disable those rules of course, but I wondered if
there is a way to make them a little "safer".  My first thought is to
exclude DNS_SERVERS in the destination.  I don't know the syntax but
something like $EXTERNAL_NET 53 -> [!$DNS_SERVERS,$HOME_NET] any.

  Does that make sense to avoid the scenario I hit?  Or does it make the
rule useless on other (maybe more common/sane?) snort configurations?

  Another idea that could make it easier to handle those is to separate
dns request and reply rules into different categories.  At least on the
pfsense platform you could easily disable the DNS REPLY category and
leave DNS REQUEST enabled.

  Thoughts/comments?

Thanks,
Jesse

-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net
Attachment (smime.p7s): application/x-pkcs7-signature, 7714 bytes
Hello,

  I had a bad setup/scenario that caused all the gtld-servers to get
blocked from matches on a DNS Reply rule for a sinkhole server address,
and wanted to see if there may be some improvement to be found in those
rules or their categorization.  Also please mention any recommendations
in network architecture/scanner location that seem obvious.

  I'm running snort on a firewall (pfsense) that protects some servers,
including customer DNS servers, and also serves some clients (vpn and
nat).  HOME_NET covers all our network blocks (clients and servers).

  The scenario we had was a client making a DNS request to our DNS
server for a sinkholed domain.  Our server recursed the DNS lookup and
got a DNS reply from the various *.gtld-servers.net which included the
sinkhole IP address, and shortly all the gtld-servers became blocked.

  The particular rule hit was:

                alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET
                TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24";
                content:"|00 01 00 01|"; content:"|00 04 c7 02 89|";
                distance:4; within:5; classtype:trojan-activity;
                sid:2016102; rev:2;)

There appear to be several such rules in ET TROJAN and I found a few in
ET DNS categories.

  A quick-fix is to disable those rules of course, but I wondered if
there is a way to make them a little "safer".  My first thought is to
exclude DNS_SERVERS in the destination.  I don't know the syntax but
something like $EXTERNAL_NET 53 -> [!$DNS_SERVERS,$HOME_NET] any.

  Does that make sense to avoid the scenario I hit?  Or does it make the
rule useless on other (maybe more common/sane?) snort configurations?

  Another idea that could make it easier to handle those is to separate
dns request and reply rules into different categories.  At least on the
pfsense platform you could easily disable the DNS REPLY category and
leave DNS REQUEST enabled.

  Thoughts/comments?

Thanks,
Jesse

--

-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net
Francis Trudeau | 22 Apr 00:31 2014
Picon

Daily Ruleset Update Summary 04/21/2014

 [***] Summary: [***]

 5 new Open, 8 new Pro (5/3).  GreenDou, EL8, Upatre.

 Thanks,  Nathan Folwer, tdzmont,  <at> EKwatcher

 [+++]          Added rules:          [+++]

 Open:

  2018402 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity EK
SilverLight Exploit (current_events.rules)
  2018403 - ET TROJAN GENERIC Zbot Based Loader (trojan.rules)
  2018404 - ET TROJAN GreenDou Downloader User-Agent (hello crazyk)
(trojan.rules)
  2018405 - ET CURRENT_EVENTS DRIVEBY EL8 EK Landing (current_events.rules)
  2018406 - ET POLICY Possible Grams DarkMarket Search DNS Domain
Lookup (policy.rules)

 Pro:

  2807970 - ETPRO TROJAN Win32/Neurevt.A Checkin (trojan.rules)
  2807971 - ETPRO CURRENT_EVENTS Possible Upatre SSL Compromised site
bellabeachwear (current_events.rules)
  2807972 - ETPRO TROJAN Win32/FlyStudio Activity (trojan.rules)

 [///]     Modified active rules:     [///]

  2009078 - ET TROJAN Backdoor Lanfiltrator Checkin (trojan.rules)
  2009299 - ET TROJAN General Trojan Downloader (trojan.rules)
  2009444 - ET TROJAN Virut Family GET (trojan.rules)
  2011236 - ET TROJAN Trojan-Downloader Win32.Genome.avan (trojan.rules)
  2012100 - ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase
Parameters Buffer Overflow (web_client.rules)
  2014163 - ET TROJAN Bifrose/Cycbot Checkin 2 (trojan.rules)
  2015045 - ET INFO Potential Common Malicious JavaScript Loop (info.rules)
  2015808 - ET TROJAN Taidoor Checkin (trojan.rules)
  2016498 - ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With
Payload (current_events.rules)
  2016764 - ET CURRENT_EVENTS SofosFO PDF Payload Download
(current_events.rules)
  2017261 - ET TROJAN TrojanDownloader.Win32/Dofoil.U Trojan Checkin
(trojan.rules)
  2800514 - ETPRO WEB_CLIENT IBM Informix Client SDK NFX File
Processing Stack Buffer Overflow (web_client.rules)
  2800515 - ETPRO WEB_CLIENT IBM Informix Client SDK NFX File
Processing Stack Buffer Overflow (web_client.rules)
  2804434 - ETPRO TROJAN Likely Bot Nick in IRC
([country|so_version|computername]) (trojan.rules)
  2806086 - ETPRO TROJAN QLowZones-6 Checkin (trojan.rules)
  2806100 - ETPRO TROJAN Win32/Vkhost.F .dll download (trojan.rules)
  2806272 - ETPRO TROJAN Win32/Sality.AM Checkin 2 (trojan.rules)
  2806921 - ETPRO TROJAN Win32/Carberp.G Checkin (trojan.rules)
  2807358 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.bk Checkin
(mobile_malware.rules)
  2807425 - ETPRO TROJAN Win32.LockScreen Ransomware checkin (trojan.rules)
  2807429 - ETPRO TROJAN Trojan.Win32.Verti.A (trojan.rules)
  2807614 - ETPRO TROJAN Backdoor.Win32/Delf.DU IRC Checkin (trojan.rules)
  2807656 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0285) (web_client.rules)
  2807657 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After
free (CVE-2014-0286) (web_client.rules)
  2807876 - ETPRO TROJAN Backdoor.Win32/Tofsee.F Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2803388 - ETPRO TROJAN Win32/Dynamer!dtc Checkin (trojan.rules)
  2804495 - ETPRO TROJAN Virus.Win32/Sality.T Checkin (trojan.rules)
tdzmont | 20 Apr 13:38 2014
Picon

greendou downloader

Here's a sig for a downloader trojan if interested.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"ET Trojan GreenDou Downloader User-Agent (hello crazyk)";  flow:to_server; content:"User-Agent|3A 20|hello crazyk"; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; sid:0; rev:1;)

-tdzmont
<div><div dir="ltr">Here's a sig for a downloader trojan if interested.<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS ( msg:"ET Trojan GreenDou Downloader User-Agent (hello crazyk)"; &nbsp;flow:to_server; content:"User-Agent|3A 20|hello crazyk"; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; sid:0; rev:1;)<br>
</div>
<div><br></div>
<div>-tdzmont</div>
</div></div>
Francis Trudeau | 18 Apr 22:56 2014
Picon

Daily Ruleset Update Summary 04/18/2014

 [***] Summary: [***]

 1 new Open rule today.  Win32.Kazy.

 [+++]          Added rules:          [+++]

  2018401 - ET TROJAN Win32.Kazy Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2003603 - ET TROJAN W32.Virut.A joining an IRC Channel (trojan.rules)
  2017937 - ET TROJAN Fake/Short Google Search Appliance UA
Win32/Ranbyus and Others (trojan.rules)
  2804765 - ETPRO TROJAN Dirt Jumper/Russkill v5 Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2000041 - ET POLICY Yahoo Mail Inbox View (policy.rules)
  2000042 - ET POLICY Yahoo Mail Message View (policy.rules)
  2000043 - ET POLICY Yahoo Mail Message Compose Open (policy.rules)
  2016857 - ET TROJAN W32/Pushdo CnC Server Fake JPEG Response (trojan.rules)
  2017947 - ET CURRENT_EVENTS Possible Styx Kein Landing URI Struct
(current_events.rules)
Francis Trudeau | 18 Apr 00:12 2014
Picon

Daily Ruleset Update Summary 04/17/2014

 [***] Summary: [***]

 2 new Open signatures, 10 new Pro (2+8).  BitCrypt, Various
AndroidOS, Destrukor.

 [+++]          Added rules:          [+++]

 Open:

  2018399 - ET TROJAN BitCrypt site accessed via .onion SSL Proxy (trojan.rules)
  2018400 - ET TROJAN BitCrypt Ransomware Domain (trojan.rules)

 Pro:

  2807962 - ETPRO TROJAN Trojan-PSW.Win32.Tepfer.tlha Checkin (trojan.rules)
  2807963 - ETPRO TROJAN Win32.Induc.O Checkin (trojan.rules)
  2807964 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.ig Checkin
(mobile_malware.rules)
  2807965 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.ABQ Checkin
(mobile_malware.rules)
  2807966 - ETPRO TROJAN W32.Tinba/Zusy Checkin 2 (trojan.rules)
  2807967 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin (trojan.rules)
  2807968 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a
Checkin (mobile_malware.rules)
  2807969 - ETPRO TROJAN Betabot.3 checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2015576 - ET CURRENT_EVENTS DNS Query to tor2web Domain (.onion
proxy) (current_events.rules)
  2016806 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert
(1) (current_events.rules)
  2016810 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert
(2) (current_events.rules)
  2018386 - ET TROJAN cryptodefense Checkin (trojan.rules)
  2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)
  2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)
Anshuman Anil Deshmukh | 17 Apr 19:34 2014

Re: [Snort-users] Some signatures not appearing in the log

That reminds me to give additional information on my issue. Which is - I'm using the free set of signatures
from ERT & Sourcefire. So in my case VRT is out of scope.

Regards,
Anshuman

Sent from Handheld

On 17-Apr-2014 5:37 pm, Conma <conma293 <at> gmail.com> wrote:
>
> I thought that if you set the 'security' policy setting in pulled pork it only downloads VRT but this does
not seem to be the case...
>
> Sorry to ask another question on your thread but I seem to only be getting alert descriptions for some (I
think predom vrt) rules, while a lot just say the stupid snort rule 1:2464454 thing....
>
> Any guidance on this? Assumed that was from the Sid-MSG.map which pulled pork updates anyways?
>
> Sent from my iPad
>
> On 17/04/2014, at 7:55 pm, Anshuman Anil Deshmukh <anshuman <at> cybage.com> wrote:
>
>> Hi,
>>
>>  
>>
>> I was just referring to the latest signature Daily Ruleset update summary with my latest log for
signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE
Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)". If I am not mistaken
ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just
enable or disable the rule depending upon which rule state is configured.
>>
>>  
>>
>> I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on
Snort 2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all
other signatures it doesn’t look an issue with snort version, right? This is my test setup and it is used
for learning purpose.
>>
>>  
>>
>> See below log extract from sid_changes.log.
>>
>>  
>>
>> Thank you in advance.
>>
>>  
>>
>> -=Begin Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-
>>
>>  
>>
>> New Rules
>>
>>      ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088)
>>
>>      ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196)
>>
>>      ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197)
>>
>>      ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080)
>>
>>      ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082)
>>
>>      ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081)
>>
>>      ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083)
>>
>>      ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396)
>>
>>      ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (1:2018395)
>>
>>      ET TROJAN Common Upatre Header Structure (1:2018394)
>>
>>      ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397)
>>
>>      ET TROJAN plasmabot Checkin (1:2018393)
>>
>>  
>>
>> Deleted Rules
>>
>>      ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374)
>>
>>      ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375)
>>
>>      ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124)
>>
>>      ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125)
>>
>>      ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016)
>>
>>      ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017)
>>
>>  
>>
>> Set Policy: security
>>
>>  
>>
>> Rule Totals
>>
>>      New:-------12
>>
>>      Deleted:---6
>>
>>      Enabled:---6148
>>
>>      Dropped:---0
>>
>>      Disabled:--32295
>>
>>      Total:-----38443
>>
>>  
>>
>> IP Blacklist Stats
>>
>>      Total IPs:-----2590
>>
>>  
>>
>> -=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-
>>
>>  
>>
>>  
>>
>> Regards,
>>
>> Anshuman
>>
>>  
>>
>> -----Original Message-----
>> From: emerging-updates-bounces <at> lists.emergingthreats.net
[mailto:emerging-updates-bounces <at> lists.emergingthreats.net] On Behalf Of Francis Trudeau
>> Sent: Thursday, April 17, 2014 4:28 AM
>> To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List
>> Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014
>>
>>  
>>
>> [***] Summary: [***]
>>
>>  
>>
>> 6 new Open signatures, 16 new Pro (6/10).  CryptoDefense, Nuclear EK, InstallBrain, Hupigon.
>>
>>  
>>
>> Thanks:  Nathan Fowler, tdzmont,  <at> EKWatcher
>>
>>  
>>
>> [+++]          Added rules:          [+++]
>>
>>  
>>
>> Open:
>>
>>  
>>
>>   2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)
>>
>>   2018393 - ET TROJAN plasmabot Checkin (trojan.rules)
>>
>>   2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)
>>
>>   2018395 - ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)
>>
>>   2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert
>>
>> (current_events.rules)
>>
>>   2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)
>>
>>  
>>
>> Pro:
>>
>>  
>>
>>   2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)
>>
>>   2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)
>>
>>   2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)
>>
>>   2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)
>>
>>   2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)
>>
>>   2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin
>>
>> (trojan.rules)
>>
>>   2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)
>>
>>   2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin
>>
>> (mobile_malware.rules)
>>
>>   2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)
>>
>>   2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014
>>
>> (current_events.rules)
>>
>>  
>>
>>  
>>
>> [///]     Modified active rules:     [///]
>>
>>  
>>
>>   2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
>>
>> (trojan.rules)
>>
>>   2017714 - ET TROJAN PlugX Checkin (trojan.rules)
>>
>>   2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
>>
>>   2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)
>>
>>   2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response
>>
>> (current_events.rules)
>>
>>   2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2
>>
>> (current_events.rules)
>>
>>   2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)
>>
>>   2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)
>>
>>  
>>
>>  
>>
>> [---]         Removed rules:         [---]
>>
>>  
>>
>>   2003548 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin
>>
>> (malware.rules)
>>
>>   2008282 - ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules) _______________________________________________
>>
>> Emerging-updates mailing list
>>
>> Emerging-updates <at> lists.emergingthreats.net
>>
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>>
>>  
>>
>>
>> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software
Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure,
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received
this electronic message in error please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious
content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in
this e-mail. You should carry out your own malicious content checks before opening the e-mail or
attachment." www.cybage.com
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users <at> lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software
Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The
information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure,
copy, distribution, or use of the contents of this message is strictly prohibited. If you have received
this electronic message in error please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious
content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in
this e-mail. You should carry out your own malicious content checks before opening the e-mail or
attachment." 
www.cybage.com
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
Dewhirst, Rob | 17 Apr 18:33 2014
Picon

negated variables in rules

We were testing another sensor today and found that several rules
won't work (in our case import) because they use negated variables
that might (or do) evaluate to "!any" for a src or dst.

I noticed my (very old) Beale Snort book actually mentions this rule
writing practice was dropped from the default Snort rule set because
of this logic issue.

Is there a technical reason ET has rules using:

!$DNS_SERVERS any -> $DNS_SERVERS
!$SMTP_SERVERS  any -> !$HOME_NET
![$DNS_SERVERS,$SMTP_SERVERS]

Or are these rules just old and no one has used "any" for these
variables before?

Gmane