Daily Ruleset Update Summary 2017/11/27

[Emerging-updates] Daily Ruleset Update Summary 2017/11/27

Travis Green tgreen at emergingthreats.net 
Mon Nov 27 12:05:37 EST 2017
Previous message (by thread): [Emerging-updates] Daily Ruleset Update Summary 2017/11/22
Next message (by thread): [Emerging-updates] Suricata 4.0 rule fork
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[***]            Summary:            [***]

4 new Open, 17 new Pro (4 + 13). Exim4 UAF, Scarab IP Check, Chrome Cred Stealing via Reflected SCF.

Note: about 250 rules have been updated to Suricata 4.0 rule syntax in the 4.0 rule fork as of today.

[+++]          Added rules:          [+++]

2025060 - ET WEB_CLIENT Google Chrome Credential Stealing via SCF file Reflected Request (web_client.rules)
2025061 - ET WEB_CLIENT PowerShell call in script 1 (web_client.rules)
2025062 - ET WEB_CLIENT PowerShell call in script 2 (web_client.rules)
2025063 - ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars) (exploit.rules)

Pro:

2828652 - ETPRO MALWARE LabTechAgent PUA CnC Checkin (malware.rules)
2828667 - ETPRO MALWARE Win32/Adware.Adposhel.A Checkin 5 (malware.rules)
2828700 - ETPRO TROJAN W32/LTTMoney Checkin (trojan.rules)
2828701 - ETPRO TROJAN Observed Malicious IP Check (W32/LTTMoney) (trojan.rules)
2828702 - ETPRO TROJAN Scarab Ransomware IP Check (trojan.rules)
2828703 - ETPRO POLICY IP Check Domain (iplogger .co in DNS Lookup) (policy.rules)
2828704 - ETPRO POLICY IP Check Domain (iplogger .co in TLS SNI) (policy.rules)
2828705 - ETPRO POLICY IP Check Domain (iplogger .org in DNS Lookup) (policy.rules)
2828706 - ETPRO POLICY IP Check Domain (iplogger .org in TLS SNI) (policy.rules)
2828707 - ETPRO POLICY IP Check Domain (iplogger .info in DNS Lookup) (policy.rules)
2828708 - ETPRO POLICY IP Check Domain (iplogger .info in TLS SNI) (policy.rules)
2828709 - ETPRO INFO Commonly Abused File Sharing Site Domain Observed (a .pomfe .co in DNS Lookup) (info.rules)
2828710 - ETPRO INFO Commonly Abused File Sharing Site Domain Observed (a .pomfe .co in TLS SNI) (info.rules)

[///]     Modified active rules:     [///]

2003626 - ET MALWARE Double User-Agent (User-Agent User-Agent) (malware.rules)
2007727 - ET P2P possible torrent download (p2p.rules)
2011540 - ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) (policy.rules)
2011699 - ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x) (p2p.rules)
2013907 - ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin (trojan.rules)
2016550 - ET TROJAN Win32/Fareit Checkin 2 (trojan.rules)
2018380 - ET TROJAN Ixeshe/Mecklow Checkin 2 (trojan.rules)
2018518 - ET TROJAN Trojan.Win32.VBKrypt.cugq/Umbra Checkin (trojan.rules)
2019755 - ET TROJAN Bamital Headers - Likely CnC Beacon (trojan.rules)
2021384 - ET USER_AGENTS WildTangent User-Agent (WT Games App) (user_agents.rules)
2022464 - ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set) (current_events.rules)
2022465 - ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS) (current_events.rules)
2023022 - ET TROJAN ProjectSauron Remsec DNS Lookup (myhomemusic. com) (trojan.rules)
2024218 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response (exploit.rules)
2024220 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set) (exploit.rules)
2025020 - ET TROJAN Win32/Nivdort Checkin (trojan.rules)
2025021 - ET CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17 2017 (current_events.rules)
2025022 - ET CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017 (current_events.rules)
2025023 - ET CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017 (current_events.rules)
2025024 - ET CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017 (current_events.rules)
2025025 - ET CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017 (current_events.rules)
2025026 - ET CURRENT_EVENTS Successful Generic Phish (set) Aug 21 2017 (current_events.rules)
2025027 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 22 2017 (current_events.rules)
2025028 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sep 19 2017 (current_events.rules)
2025029 - ET CURRENT_EVENTS Successful Generic Phish (set) Sep 28 2017 (current_events.rules)
2025030 - ET CURRENT_EVENTS Successful Generic Credit Card Information Phish Oct 10 2017 (current_events.rules)
2025031 - ET CURRENT_EVENTS Successful Office 365 Phish Oct 10 2017 (set) (current_events.rules)
2025032 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2017 (current_events.rules)
2025033 - ET CURRENT_EVENTS Successful Generic Phish (set) Oct 30 2017 (current_events.rules)
2025034 - ET CURRENT_EVENTS Possible Successful Generic Phish Nov 09 2017 (set) (current_events.rules)
2025035 - ET TROJAN Netwire RAT Check-in 2 (trojan.rules)
2025036 - ET TROJAN Netwire RAT Check-in 2 (trojan.rules)
2025037 - ET CURRENT_EVENTS Dadong Exploit Kit Downloaded (current_events.rules)
2025038 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set) (current_events.rules)
2025039 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set) (current_events.rules)
2025040 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 07 2015 (current_events.rules)
2025041 - ET CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1 (current_events.rules)
2025042 - ET CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2 (current_events.rules)
2025043 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing May 31 2016 (current_events.rules)
2025044 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 (current_events.rules)
2025045 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M2 (current_events.rules)
2025046 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M2 (current_events.rules)
2025047 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M3 (current_events.rules)
2025048 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer) (current_events.rules)
2025049 - ET CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M1 (current_events.rules)
2025050 - ET CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M2 (current_events.rules)
2025051 - ET CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M3 (current_events.rules)
2025052 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M1 (current_events.rules)
2025053 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M2 (current_events.rules)
2025054 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M3 (current_events.rules)
2025055 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M4 (current_events.rules)
2025056 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M5 (current_events.rules)
2025057 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M6 (current_events.rules)
2025058 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M7 (current_events.rules)
2025059 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M8 (current_events.rules)
2801292 - ETPRO USER_AGENTS Yoyo-DDoS Bot UA Detected Outbound (user_agents.rules)
2803437 - ETPRO TROJAN Backdoor.Win32.Shiz.ivr Checkin (trojan.rules)
2804855 - ETPRO TROJAN Win32.Simda.Y/Win32.Shiz.awez DNS Query to jecijyjudew.eu Domain (trojan.rules)
2805803 - ETPRO TROJAN Taidoor Checkin 2 (trojan.rules)
2809131 - ETPRO MALWARE PUP Optimizer Pro Checkin (malware.rules)
2809343 - ETPRO MALWARE Win32/Techsnab.B Checkin (malware.rules)
2809671 - ETPRO TROJAN Backdoor.Win32.Vawtrak Connectivity Check (trojan.rules)
2819999 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin (mobile_malware.rules)
2820706 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin 2 (mobile_malware.rules)

[---]  Disabled and modified rules:  [---]

2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)
2018481 - ET TROJAN Trojan.Win32.Webprefix checkin (trojan.rules)
2020022 - ET TROJAN Possible VirLock Connectivity Check (trojan.rules)

[---]         Removed rules:         [---]

2804614 - ETPRO CURRENT_EVENTS Dadong Exploit Kit Downloaded (current_events.rules)
2809785 - ETPRO TROJAN Win32/Nivdort Checkin (trojan.rules)
2815643 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 07 2015 (current_events.rules)
2815662 - ETPRO CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1 (current_events.rules)
2815663 - ETPRO CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2 (current_events.rules)
2816388 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set) (current_events.rules)
2816439 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set) (current_events.rules)
2820400 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing May 31 2016 (current_events.rules)
2820569 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 (current_events.rules)
2820570 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M2 (current_events.rules)
2820849 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M2 (current_events.rules)
2820850 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M3 (current_events.rules)
2820852 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer) (current_events.rules)
2820967 - ETPRO CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M1 (current_events.rules)
2820968 - ETPRO CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M2 (current_events.rules)
2820969 - ETPRO CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M3 (current_events.rules)
2821002 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M1 (current_events.rules)
2822174 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M2 (current_events.rules)
2822175 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M3 (current_events.rules)
2822176 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M4 (current_events.rules)
2822177 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M5 (current_events.rules)
2822178 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M6 (current_events.rules)
2822179 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M7 (current_events.rules)
2822180 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016 M8 (current_events.rules)
2823498 - ETPRO TROJAN Netwire RAT Check-in 2 (trojan.rules)
2823499 - ETPRO TROJAN Netwire RAT Check-in 2 (trojan.rules)
2827180 - ETPRO CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17 2017 (current_events.rules)
2827183 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017 (current_events.rules)
2827184 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017 (current_events.rules)
2827185 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017 (current_events.rules)
2827186 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017 (current_events.rules)
2827597 - ETPRO CURRENT_EVENTS Successful Generic Phish (set) Aug 21 2017 (current_events.rules)
2827609 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 22 2017 (current_events.rules)
2827894 - ETPRO USER_AGENTS Win32.Vaubeg.A UA (user_agents.rules)
2827997 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Sep 19 2017 (current_events.rules)
2828084 - ETPRO CURRENT_EVENTS Successful Generic Phish (set) Sep 28 2017 (current_events.rules)
2828210 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information Phish Oct 10 2017 (current_events.rules)
2828230 - ETPRO CURRENT_EVENTS Successful Office 365 Phish Oct 10 2017 (set) (current_events.rules)
2828443 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2017 (current_events.rules)
2828473 - ETPRO CURRENT_EVENTS Successful Generic Phish (set) Oct 30 2017 (current_events.rules)
2828586 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Nov 09 2017 (set) (current_events.rules)
2828652 - ETPRO POLICY LabTechAgent PUA CnC Checkin (policy.rules)
2828667 - ETPRO TROJAN MSIL/Agent.ATK POST to CnC (trojan.rules)

Date: 
Monday, November 27, 2017 - 00:00