[***] Summary: [***] 5 new Open signatures, 7 new Pro (5 + 2). Trojan-Spy.AndroidOS.Agent, Destover RAT, Dridex. Thanks: Kevin Ross, @Regiteric, @abuse_ch and @herrcore. [+++] Added rules: [+++] Open: 2019876 - ET SCAN SSH BruteForce Tool with fake PUTTY version (scan.rules)
2019877 - ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014 (current_events.rules)
2019878 - ET TROJAN Destover RAT Check-in (trojan.rules)
2019879 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (trojan.rules)
2019880 - ET WEB_SERVER Double Encoded Characters in URI (../) (web_server.rules) Pro: 2809286 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ap Checkin 2 (mobile_malware.rules)
2809287 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ap Checkin 3 (mobile_malware.rules)
[///] Modified active rules: [///] 2012051 - ET TFTP TFTPGUI Long Transport Mode Buffer Overflow (tftp.rules)
2012095 - ET ACTIVEX J-Integra Remote Code Execution (activex.rules)
2012097 - ET ACTIVEX WMITools ActiveX Remote Code Execution (activex.rules)
2012098 - ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow (activex.rules)
2012983 - ET SMTP Spamcop.net Block Message (smtp.rules)
2012985 - ET SMTP Sorbs.net Block Message (smtp.rules)
2013041 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com (mobile_malware.rules)
2013074 - ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability (scada.rules)
2013235 - ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt (scada.rules)
2013300 - ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert (policy.rules)
2014130 - ET POLICY Splashtop Remote Control Session Keepalive Response (policy.rules)
2014132 - ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt (activex.rules)
2014286 - ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate (malware.rules)
2014287 - ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate on Off Port (malware.rules)
2014354 - ET TROJAN W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP (trojan.rules)
2014380 - ET POLICY HTTP POST invalid method case outbound (policy.rules)
2014382 - ET POLICY HTTP OPTIONS invalid method case outbound (policy.rules)
2014632 - ET TROJAN FireEye.STX RAT Checkin (trojan.rules)
2014668 - ET TROJAN W32/SpyBanker Infection Confirmation Email (trojan.rules)
2014842 - ET TROJAN Blackhole Loading Gif Inline Image (trojan.rules)
2014925 - ET INFO NetSSH SSH Version String Hardcoded in Metasploit (info.rules)
2015795 - ET TROJAN Winlock.6870 SSL Cert (trojan.rules)
2016149 - ET INFO Session Traversal Utilities for NAT (STUN Binding Request) (info.rules)
2016150 - ET INFO Session Traversal Utilities for NAT (STUN Binding Response) (info.rules)
2016772 - ET TROJAN Win32/Enchanim C2 Client Check-in (trojan.rules)
2016849 - ET TROJAN Worm.Win32.Ngrbot.lof Join IRC channel (trojan.rules)
2017120 - ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID) (policy.rules)
2017121 - ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival RAKP message 2 status code Unauthorized Name (attack_response.rules)
2017799 - ET EXPLOIT Zollard PHP Exploit Telnet Inbound (exploit.rules)
2017800 - ET EXPLOIT Zollard PHP Exploit Telnet Outbound (exploit.rules)
2017966 - ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03 (dos.rules)
2018399 - ET TROJAN BitCrypt site accessed via .onion SSL Proxy (trojan.rules)
2019014 - ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03 (dos.rules)
2019015 - ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02 (dos.rules)
2019016 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03 (dos.rules)
2019017 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02 (dos.rules)
2019018 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03 (dos.rules)
2019019 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02 (dos.rules)
2019020 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03 (dos.rules)
2019021 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02 (dos.rules)
2019022 - ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses (dos.rules)
2019117 - ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF (current_events.rules)
2019118 - ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF (current_events.rules)
2019119 - ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF (current_events.rules)
2019295 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message (trojan.rules)
2019296 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message (trojan.rules)
2019297 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message (trojan.rules)
2019299 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message (trojan.rules)
2019300 - ET TROJAN Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message (trojan.rules)
2019301 - ET TROJAN Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message (trojan.rules)
2019302 - ET TROJAN Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message (trojan.rules)
2019303 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message (trojan.rules)
2019304 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message (trojan.rules)
2019312 - ET TROJAN Sourtoff Download Simda Request (trojan.rules)
2019313 - ET TROJAN Sourtoff Receiving Simda Payload (trojan.rules)
2019318 - ET MOBILE_MALWARE Android/Code4hk.A Checkin (mobile_malware.rules)
2019346 - ET DOS Terse HTTP GET Likely LOIC (dos.rules)
2019347 - ET DOS HTTP GET AAAAAAAA Likely FireFlood (dos.rules)
2019348 - ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool (dos.rules)
2019349 - ET DOS Terse HTTP GET Likely AnonGhost DDoS tool (dos.rules)
2019350 - ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool (dos.rules)
2019508 - ET TROJAN DNS Reply Sinkhole - IP - 161.69.13.44 (trojan.rules)
2019564 - ET TROJAN Sofacy DNS Lookup adawareblock.com (trojan.rules)
2019565 - ET TROJAN Sofacy DNS Lookup adobeincorp.com (trojan.rules)
2019566 - ET TROJAN Sofacy DNS Lookup azureon-line.com (trojan.rules)
2019567 - ET TROJAN Sofacy DNS Lookup checkmalware.info (trojan.rules)
2019568 - ET TROJAN Sofacy DNS Lookup checkwinframe.com (trojan.rules)
2019569 - ET TROJAN Sofacy DNS Lookup check-fix.com (trojan.rules)
2019570 - ET TROJAN Sofacy DNS Lookup hotfix-update.com (trojan.rules)
2019571 - ET TROJAN Sofacy DNS Lookup microsofi.org (trojan.rules)
2019572 - ET TROJAN Sofacy DNS Lookup microsof-update.com (trojan.rules)
2019573 - ET TROJAN Sofacy DNS Lookup scanmalware.info (trojan.rules)
2019574 - ET TROJAN Sofacy DNS Lookup secnetcontrol.com (trojan.rules)
2019575 - ET TROJAN Sofacy DNS Lookup securitypractic.com (trojan.rules)
2019576 - ET TROJAN Sofacy DNS Lookup symanttec.org (trojan.rules)
2019577 - ET TROJAN Sofacy DNS Lookup testservice24.net (trojan.rules)
2019578 - ET TROJAN Sofacy DNS Lookup testsnetcontrol.com (trojan.rules)
2019579 - ET TROJAN Sofacy DNS Lookup updatepc.org (trojan.rules)
2019580 - ET TROJAN Sofacy DNS Lookup updatesoftware24.com (trojan.rules)
2019581 - ET TROJAN Sofacy DNS Lookup windows-updater.com (trojan.rules)
2019582 - ET TROJAN Sofacy DNS Lookup checkmalware.org (trojan.rules)
2019712 - ET TROJAN W32/Keylogger.CI Checkin (trojan.rules)
2019738 - ET TROJAN AlienSpy RAT Checkin Set (trojan.rules)
2019739 - ET TROJAN W32/AlienSpy RAT Checkin (trojan.rules)
2019740 - ET TROJAN OSX/AlienSpy RAT Checkin (trojan.rules)
2019746 - ET POLICY Bitmessage Activity (policy.rules)
2019761 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014 (current_events.rules)
2019762 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014 (current_events.rules)
2019778 - ET EXPLOIT DLSw Information Disclosure CVE-2014-7992 (exploit.rules)
2019808 - ET TROJAN W32/DoubleTap.APT Downloader CnC Beacon (trojan.rules)
2019851 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019852 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019853 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019854 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019855 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019856 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019857 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019858 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019859 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019860 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019861 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019862 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019863 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019864 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019865 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019866 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019867 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019868 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019869 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019870 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
2019871 - ET TROJAN DNS Query for Operation Cleaver Domain (trojan.rules)
[///] Modified inactive rules: [///] 2012984 - ET SMTP Sophos.com Block Message (smtp.rules)
2015966 - ET P2P QVOD P2P Sharing Traffic detected (udp) beacon (p2p.rules)
2015967 - ET P2P QVOD P2P Sharing Traffic detected (udp) payload (p2p.rules)
2019404 - ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt (dos.rules)
Date: 
Thursday, December 4, 2014 - 22:00