Francis Trudeau | 21 Oct 22:38 2014
Picon

Daily Ruleset Update Summary 10/21/2014

 [***] Summary: [***]

 2 new Open signatures, 19 new Pro (2+17).  Cryptowall, Cisco ASA
vulns, Various Android.

 Thanks:  Kevin Ross and  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2019485 - ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 21 2014
(current_events.rules)
  2019486 - ET TROJAN Possible IRC Bot Common PRIVMSG Commands (trojan.rules)

 Pro:

  2809030 - ETPRO TROJAN Possibly Malicious DNS TXT Response Contains
URL (trojan.rules)
  2809031 - ETPRO TROJAN Win32.Cryptolocker.cg SSL Cert (trojan.rules)
  2809032 - ETPRO MOBILE_MALWARE Android/LoveTrap.A Checkin 3
(mobile_malware.rules)
  2809033 - ETPRO MALWARE PUP Win32/Bundled.Toolbar.Ask.K Retrieving
Geolocation (malware.rules)
  2809036 - ETPRO EXPLOIT Possible Cisco Standby FailoverExec Exploit
Attempt (exploit.rules)
  2809037 - ETPRO EXPLOIT Possible Cisco Standby ConfigSync Exploit
Attempt (exploit.rules)
  2809038 - ETPRO MALWARE PUP Win32/SpeedingUpMyPC Checkin (malware.rules)
  2809039 - ETPRO WEB_SPECIFIC_APPS Rejetto HttpFileServer RCE Check
(Continue reading)

Kevin Ross | 20 Oct 10:43 2014

SIGS: Reflected File Download & Generic IRCBot.DDOS

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Reflected File Download Malicious Code Execution Attempt"; flow:established,to_client; content:"Content-Disposition|3A| attachment"; http_header; fast_pattern:19,12; file_data; content:"|5C 22 7C 7C|"; distance:0; content:"|7C 7C|"; within:200; pcre:"/\x5C\x22\x7C\x7C[^\r\n]*\x7C\x7C/sm"; classtype:trojan-activity; reference:url,www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf; sid:119911; rev:1;)

# FYI here is a bot trying to be done via shellshock I picked up www[.]ykum[.]com//bbs/skin/zero_vote/cpan_root
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common Flood Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"flood"; nocase; within:15; pcre:"/^PRIVMSG[^\r\n]*flood[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119912; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common TCP DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"tcp"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*tcp[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119913; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common UDP DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"udp"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*udp[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119914; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common SYN DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"syn"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*syn[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119915; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"ddos"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*ddos[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119916; rev:1;)
 
Kind Regards,
Kevin Ross
<div><div dir="ltr">alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET WEB_CLIENT Potential Reflected File Download Malicious Code Execution Attempt"; flow:established,to_client; content:"Content-Disposition|3A| attachment"; http_header; fast_pattern:19,12; file_data; content:"|5C 22 7C 7C|"; distance:0; content:"|7C 7C|"; within:200; pcre:"/\x5C\x22\x7C\x7C[^\r\n]*\x7C\x7C/sm"; classtype:trojan-activity; reference:url,<a href="http://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf">www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf</a>; sid:119911; rev:1;)<br><br># FYI here is a bot trying to be done via shellshock I picked up www[.]ykum[.]com//bbs/skin/zero_vote/cpan_root<br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common Flood Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"flood"; nocase; within:15; pcre:"/^PRIVMSG[^\r\n]*flood[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119912; rev:1;)<br><br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common TCP DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"tcp"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*tcp[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119913; rev:1;)<br><br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common UDP DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"udp"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*udp[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119914; rev:1;)<br><br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common SYN DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"syn"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*syn[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119915; rev:1;)<br><br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN IRCBot.DDOS Common DDOS Command"; flow:established,to_client; content:"PRIVMSG"; depth:8; content:"ddos"; within:15; nocase pcre:"/^PRIVMSG[^\r\n]*ddos[^\r\n]*(\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|http\x3A\x2F\x2F|https\x3A\x2F\x2F)/i"; classtype:trojan-activity; sid:119916; rev:1;)<br><div>&nbsp;<br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Russell Fulton | 20 Oct 01:27 2014
Picon
Picon

Likely FPs for ET TROJAN Trojan-Clicker.Win32.Agent.qqf Checkin 2012643

sogou produces legit Chinese language typing software this rule seems to trigger on any occurrence of
'/sogou/' in a url.

examples:

GET /lbi-html/ly/2014/sogou/1011/index.html HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://news.hexun.com/2014-10-19/169467686.html
Accept-Language: en-NZ
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: itv.hexun.com
DNT: 1
Connection: Keep-Alive

GET /www/sogou/sogou_tips_v1.png HTTP/1.1
If-Modified-Since: Mon, 11 Aug 2014 10:45:19 GMT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Referer: http://ent.qq.com/a/20141019/002345.htm
X-Akamai-CONFIG-LOG-DETAIL: true
TE:  chunked;q=1.0
Connection: TE
Accept-Encoding: gzip
Akamai-Origin-Hop: 1
Via: 1.1 akamai.net(ghost) (AkamaiGHost)
X-Forwarded-For: 172.24.56.123
Host: mat1.gtimg.com
Cache-Control: max-age=7200
Connection: keep-alive

Francis Trudeau | 17 Oct 22:57 2014
Picon

Daily Ruleset Update Summary 10/17/2014

 [***] Summary: [***]

 14 new Open signatures, 17 new Pro (14 + 3).  BlackEnergy,
Win32/Zemot, Spy.KeyLogger.

 Thanks:  Jake Warren, James Lay, Kevin Ross and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2019457 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019458 - ET TROJAN Win32/Zemot URI Struct (trojan.rules)
  2019459 - ET TROJAN Win32/Zemot Requesting PE (trojan.rules)
  2019460 - ET WEB_SERVER MongoDB Negated Parameter Server Side
JavaScript Injection Attempt (web_server.rules)
  2019461 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1
(current_events.rules)
  2019462 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2
(current_events.rules)
  2019463 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3
(current_events.rules)
  2019464 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4
(current_events.rules)
  2019465 - ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5
(current_events.rules)
  2019466 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2019467 - ET TROJAN Win32/Spy.KeyLogger.ODN Checkin (trojan.rules)
  2019468 - ET TROJAN Win32/Spy.KeyLogger.ODN Exfiltrating Data (trojan.rules)
  2019469 - ET TROJAN Deputy Dog checkin (trojan.rules)
  2019470 - ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 17 2014
(current_events.rules)

 Pro:

  2809016 - ETPRO TROJAN Win32.Cosmu (trojan.rules)
  2809017 - ETPRO TROJAN Win32.Pasta Variant Checkin (trojan.rules)
  2809018 - ETPRO TROJAN W32/Cryrar CnC (trojan.rules)

 [///]     Modified active rules:     [///]

  2018052 - ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
(current_events.rules)
  2018995 - ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 24 2014
(current_events.rules)
  2018996 - ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 24 2014
(current_events.rules)
  2019097 - ET CURRENT_EVENTS Archie EK SilverLight URI Struct
(current_events.rules)
  2019416 - ET POLICY SSLv3 outbound connection from client vulnerable
to POODLE attack (policy.rules)
  2019418 - ET CURRENT_EVENTS SSL excessive fatal alerts (possible
POODLE attack against server) (current_events.rules)
  2805900 - ETPRO MOBILE_MALWARE Android/Ksapp.A Checkin 2
(mobile_malware.rules)

 [---]  Disabled and modified rules:  [---]

  2019325 - ET CURRENT_EVENTS Flashpack Redirect Method 3 (current_events.rules)

 [---]         Removed rules:         [---]

  2018450 - ET TROJAN Potential Selfint C2 traffic (from client) (trojan.rules)
Kevin Ross | 17 Oct 16:50 2014

SIG: ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; content:"[$ne]"; http_uri; fast_pattern:only; classtype:web-application-attack; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; sid:193811; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr"><div>alert tcp $EXTERNAL_NET any -&gt; $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; content:"[$ne]"; http_uri; fast_pattern:only; classtype:web-application-attack; reference:url,<a href="http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html">blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html</a>; reference:url,<a href="http://docs.mongodb.org/manual/reference/operator/query/ne/">docs.mongodb.org/manual/reference/operator/query/ne/≤/a>; sid:193811; rev:1;)<br><br>Kind Regards,<br>Kevin Ross<br>
</div></div></div>
James Lay | 16 Oct 21:18 2014
Picon

Interesting FP

Why in the world they would call a jpg a bin I have no idea:

2014-10-16T19:11:49+0000        CthkCtNPJbsXjxQgi       x.x.x.x    
40014   54.230.4.176    80      1       GET     ci25.aocdn.net  
/acton/is/0/2938/s-0307-1410/o-0007/i.bin       -       Mozilla/4.0 
(compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET 
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 
6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 14.0.7113; ms-office; 
MSOffice 14)       0       2068    200     OK      -       -       -     
  (empty) -       -       -       -       -       FjI9ew3csMjiBKbWI4     
image/jpeg

But there it is:

19:11:49  [1:2018052:4] ET CURRENT_EVENTS Zbot Generic URI/Header 
Struct .bin [**] [Classification: A Network Trojan was Detected] 
[Priority: 1] {TCP} x.x.x.x:40014 -> 54.230.4.176:80

[10:29:27 gateway:~/careful$] wgettor 
'ci25.aocdn.net/acton/is/0/2938/s-0307-1410/o-0007/i.bin'
--2014-10-16 12:14:28--  
http://ci25.aocdn.net/acton/is/0/2938/s-0307-1410/o-0007/i.bin
Resolving ci25.aocdn.net (ci25.aocdn.net)... 54.230.4.176
Connecting to ci25.aocdn.net (ci25.aocdn.net)|54.230.4.176|:80... 
connected.
HTTP request sent, awaiting response...
   HTTP/1.1 200 OK
   Content-Type: application/octet-stream;charset=UTF-8
   Content-Length: 2068
   Connection: keep-alive
   Server: Apache-Coyote/1.1
   Date: Thu, 16 Oct 2014 18:14:32 GMT
   X-Cache: Miss from cloudfront
   Via: 1.1 9e2316f9bf6c03b8640526708b3cdb00.cloudfront.net (CloudFront)
   X-Amz-Cf-Id: wkzZR-L5hJxCZYbc6sWTGJflEk4bohbahqfQ2btsN409pjCDoOFkpA==
Length: 2068 (2.0K) [application/octet-stream]
Saving to:
`i.bin'

100%[======================================================================================================================>] 
2,068       8.89K/s   in 0.2s

2014-10-16 12:14:33 (8.89 KB/s) - `i.bin' saved [2068/2068]

[12:14:33 gateway:~/careful$] file i.bin
i.bin: JPEG image data, EXIF standard

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; 
flow:established,to_server; content:"GET"; http_method; content:".bin"; 
http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; 
content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; 
http_header; content:" MSIE "; http_header; content:!"AskTbARS"; 
http_header; content:!".passport.net|0d 0a|"; http_header; 
content:!".microsoftonline-p.net|0d 0a|"; http_header; 
content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; 
http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; 
sid:2018052; rev:4;)

James
Jake Warren | 16 Oct 20:16 2014

Archie EK Sigs

Thanks to <at> PhysicalDrive0 - https://twitter.com/PhysicalDrive0/status/522748906183348224

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0497 Oct 16 2014"; flow:established,to_server; content:"/pruncdflashlow.swf HTTP/1."; reference:cve,2014-0497; classtype:trojan-activity; sid:xxxx; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0515 Oct 16 2014"; flow:established,to_server; content:"/pruncdflashhigh.swf HTTP/1."; reference:cve,2014-0515; classtype:trojan-activity; sid:xxxx; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK CVE-2013-0074 Oct 16 2014"; flow:to_server,established; content:"/pruncdsilverapp1.xap"; http_uri; fast_pattern:only; reference:cve,2013-0074; classtype:trojan-activity; sid:xxxx; rev:1;)

Regards,
Jake Warren
<div><div dir="ltr">Thanks to  <at> PhysicalDrive0 - <a href="https://twitter.com/PhysicalDrive0/status/522748906183348224">https://twitter.com/PhysicalDrive0/status/522748906183348224</a><br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0497 Oct 16 2014"; flow:established,to_server; content:"/pruncdflashlow.swf HTTP/1."; reference:cve,2014-0497; classtype:trojan-activity; sid:xxxx; rev:1;)<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0515 Oct 16 2014"; flow:established,to_server; content:"/pruncdflashhigh.swf HTTP/1."; reference:cve,2014-0515; classtype:trojan-activity; sid:xxxx; rev:1;)<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Archie EK CVE-2013-0074 Oct 16 2014"; flow:to_server,established; content:"/pruncdsilverapp1.xap"; http_uri; fast_pattern:only; reference:cve,2013-0074; classtype:trojan-activity; sid:xxxx; rev:1;)<br><div>
<div><div dir="ltr"><div>
<br>Regards,<br>Jake Warren</div></div></div>
</div>
</div></div>
Francis Trudeau | 16 Oct 19:59 2014
Picon

Daily Ruleset Update Summary 10/16/2014

 [***] Summary: [***]

 35 new Open signatures, 37 new Pro (35+2).  CVE-2014-3704 Drupal
SQLi, FrameworkPOS, Win32.GameThief.Magania.

 Thanks:  Steven Bairstow, Jake Warren,  <at> kafeine.

 [+++]          Added rules:          [+++]

  2019422 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 1 (exploit.rules)
  2019423 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 2 (exploit.rules)
  2019424 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 3 (exploit.rules)
  2019425 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 4 (exploit.rules)
  2019426 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 5 (exploit.rules)
  2019427 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 6 (exploit.rules)
  2019428 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 7 (exploit.rules)
  2019429 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 8 (exploit.rules)
  2019430 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 9 (exploit.rules)
  2019431 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 10 (exploit.rules)
  2019432 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 11 (exploit.rules)
  2019433 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 12 (exploit.rules)
  2019434 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 13 (exploit.rules)
  2019435 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 14 (exploit.rules)
  2019436 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 15 (exploit.rules)
  2019437 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 16 (exploit.rules)
  2019438 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 17 (exploit.rules)
  2019439 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 18 (exploit.rules)
  2019440 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 19 (exploit.rules)
  2019441 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 20 (exploit.rules)
  2019442 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 21 (exploit.rules)
  2019443 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 22 (exploit.rules)
  2019444 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 23 (exploit.rules)
  2019445 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 24 (exploit.rules)
  2019446 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 25 (exploit.rules)
  2019447 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 26 (exploit.rules)
  2019448 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 27 (exploit.rules)
  2019449 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 28 (exploit.rules)
  2019450 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 29 (exploit.rules)
  2019451 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 30 (exploit.rules)
  2019452 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 31 (exploit.rules)
  2019453 - ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt
URLENCODE 32 (exploit.rules)
  2019454 - ET TROJAN FrameworkPOS Covert DNS CnC Beacon 1 (trojan.rules)
  2019455 - ET TROJAN FrameworkPOS Covert DNS CnC Beacon 2 (trojan.rules)
  2019456 - ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014
(current_events.rules)

 Pro:

  2809014 - ETPRO MALWARE Win32/AdWare.Pirrit.A Checkin (malware.rules)
  2809015 - ETPRO TROJAN Win32.GameThief.Magania Client Response (trojan.rules)

 [///]     Modified active rules:     [///]

  2013935 - ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel
TXT Response (trojan.rules)

 [---]         Removed rules:         [---]

  2019274 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014
(current_events.rules)
Ulm, Matt | 16 Oct 17:38 2014

Help a snort noob

Hello all,

I have set up my first snort server, and I was using the emerging threats free feed for rules, and ran into a slight hitch.

 

FATAL ERROR: /path/to/snort/rules/ET-emerging-policy.rules(499) threshold (in rule): could not create threshold - only one per sig_id=2014297

 

Can someone explain this to me, and will this be an issue with future pulled pork pulls?

 

- Matthew Ulm

<div>
<div class="WordSection1">
<p class="MsoNormal">Hello all,<p></p></p>
<p class="MsoNormal">I have set up my first snort server, and I was using the emerging threats free feed for rules, and ran into a slight hitch.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">FATAL ERROR: /path/to/snort/rules/ET-emerging-policy.rules(499) threshold (in rule): could not create threshold - only one per sig_id=2014297<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Can someone explain this to me, and will this be an issue with future pulled pork pulls?<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">- Matthew Ulm<p></p></p>
</div>
</div>
Kevin Ross | 16 Oct 16:07 2014

java vuln paper

<div><div dir="ltr">A very interesting paper with plenty technical detail <br><br><a href="http://www.fireeye.com/resources/pdfs/fireeye-a-daily-grind-filtering-java-vulnerabilities.pdf">http://www.fireeye.com/resources/pdfs/fireeye-a-daily-grind-filtering-java-vulnerabilities.pdf</a><br>
</div></div>
Jake Warren | 16 Oct 01:53 2014

FrameworkPOS DNS Sig

alert udp $HOME_NET any -> any 53 (msg:"FrameworkPOS DNS CNC Beacon"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|beacon"; fast_pattern;  content:"dc"; distance:3; within:9; pcre:"/[a-f0-9]{2,}\x06beacon.[a-f0-9]{2,6}dc[a-f0-9]{2,6}dc[a-f0-9]{2,6}dc[a-f0-9]{2,6}.[a-f0-9]{2,}/"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:xxxx; rev:2;)

Regards,
Jake Warren
<div><div dir="ltr">
<div>alert udp $HOME_NET any -&gt; any 53 (msg:"FrameworkPOS DNS CNC Beacon"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|beacon"; fast_pattern;&nbsp; content:"dc"; distance:3; within:9; pcre:"/[a-f0-9]{2,}\x06beacon.[a-f0-9]{2,6}dc[a-f0-9]{2,6}dc[a-f0-9]{2,6}dc[a-f0-9]{2,6}.[a-f0-9]{2,}/"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,<a href="http://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html">blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html</a>; classtype:trojan-activity; sid:xxxx; rev:2;)<br><br>
</div>Regards,<br><div>Jake Warren<br>
</div>
</div></div>

Gmane