2 new Open. 8 new Pro (2/6).

Added http_cookie vector for the 2014-6271 (tks @inliniac).

2019239 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie (web_server.rules)
2019240 - ET POLICY Executable and linking format (ELF) file download Over HTTP (policy.rules)

2808886 - ETPRO EXPLOIT EMC AlphaStor Device Manager Opcode 0x75 Command Injection (exploit.rules)
2808887 - ETPRO TROJAN Win32/BrowserPassview Checkin via SMTP (trojan.rules)
2808888 - ETPRO TROJAN Win32/BrowserPassview Checkin via SMTP 2 (trojan.rules)
2808889 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Masnu.a Checkin (mobile_malware.rules)
2808890 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.CH Checkin (mobile_malware.rules)
2808891 - ETPRO MOBILE_MALWARE AndroidOS/Agent.EJ Checkin (mobile_malware.rules)

We also enabled by default ELF download sigs in POLICY. Most of the exploitation attempts we are seeing are trying to pull down ELF DDoS bots. Depending on your environment, you might want to disable although I think downloads of straight ELF's is probably pretty rare for most orgs.

The following rules also went out late last night:

2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number (web_server.rules)
2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15 (exploit.rules)
2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67 (exploit.rules)
Date: 
Wednesday, September 24, 2014 - 22:00