Daily Ruleset Update Summary 2017/12/12

[***]            Summary:            [***]

1 new Open, 28 new Pro (27 + 1). Carbanak/FIN7, GreenFlash SunDown EK, Various Phishing, Various Mobile.

December MAPP Coverage:
2828863 -> CVE-2017-11894
2828864 -> CVE-2017-11903
2828865 -> CVE-2017-11907

[+++]          Added rules:          [+++]

Open:

2025146 - ET DNS Query for Suspicious .gr .com Domain (gr .com in DNS Lookup) (dns.rules)

Pro:

2828848 - ETPRO TROJAN Carbanak/FIN7 JS.Backdoor Checkin (trojan.rules)
2828849 - ETPRO TROJAN Carbanak/FIN7 SSL Certificate Detected (trojan.rules)
2828850 - ETPRO CURRENT_EVENTS Microsoft Tech Support Scam 2017-12-12 (current_events.rules)
2828851 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2017-12-12 M1 (current_events.rules)
2828852 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2017-12-12 M2 (current_events.rules)
2828853 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish 2017-12-12 M3 (current_events.rules)
2828854 - ETPRO TROJAN Carbanak/FIN7 SSL Dropper Domain Detected (download .gr .com in TLS SNI) (trojan.rules)
2828855 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-12 (current_events.rules)
2828856 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 254 (mobile_malware.rules)
2828857 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.js Contact/SMS Exfil via SMTP (mobile_malware.rules)
2828858 - ETPRO CURRENT_EVENTS Malicious VBScript Inbound (seen dropping Ursnif) (current_events.rules)
2828859 - ETPRO CURRENT_EVENTS Possible GreenFlash SunDown EK Exploit (current_events.rules)
2828860 - ETPRO CURRENT_EVENTS GreenFlash SunDown EK Payload Dec 12 2017 (current_events.rules)
2828861 - ETPRO TROJAN njRAT/Bladabindi Variant CnC Activity (ll) (trojan.rules)
2828862 - ETPRO TROJAN Observed Malicious SSL Cert (Minergate Module DL) (trojan.rules)
2828863 - ETPRO WEB_CLIENT MS Edge Scripting Engine Memory Corruption Vuln (CVE-2017-11894) (web_client.rules)
2828864 - ETPRO WEB_CLIENT MS IE 11 UAF Vulnerability (CVE-2017-11903) (web_client.rules)
2828865 - ETPRO WEB_CLIENT MS IE 11 OOB Write Vulnerability (CVE-2017-11907) (web_client.rules)
2828866 - ETPRO CURRENT_EVENTS MalDoc Retrieving Payload 2017-12-12 (current_events.rules)
2828867 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 1) (trojan.rules)
2828868 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 2) (trojan.rules)
2828869 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 3) (trojan.rules)
2828870 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 4) (trojan.rules)
2828871 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 5) (trojan.rules)
2828872 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 6) (trojan.rules)
2828873 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-12-12 7) (trojan.rules)
2828874 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-12 (current_events.rules)

[///]     Modified active rules:     [///]

2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
2022054 - ET INFO Possible MSXMLHTTP Request to Dotted Quad (info.rules)
2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)
2815247 - ETPRO CURRENT_EVENTS Successful Excel Online Phish 2015-12-08 (current_events.rules)
2825562 - ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (ll) (trojan.rules)

[---]         Disabled rules:        [---]

2004313 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id SELECT (web_specific_apps.rules)
2004314 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UNION SELECT (web_specific_apps.rules)
2004315 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id INSERT (web_specific_apps.rules)
2004316 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id DELETE (web_specific_apps.rules)
2004317 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE (web_specific_apps.rules)
2004318 - ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id ASCII (web_specific_apps.rules)
2004379 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT (web_specific_apps.rules)
2004380 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT (web_specific_apps.rules)
2004381 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT (web_specific_apps.rules)
2004382 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE (web_specific_apps.rules)
2004383 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII (web_specific_apps.rules)
2004384 - ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE (web_specific_apps.rules)
2004469 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT (web_specific_apps.rules)
2004470 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT (web_specific_apps.rules)
2004471 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE (web_specific_apps.rules)
2004472 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII (web_specific_apps.rules)
2004473 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE (web_specific_apps.rules)
2004474 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT (web_specific_apps.rules)
2004475 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT (web_specific_apps.rules)
2004476 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT (web_specific_apps.rules)
2004477 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE (web_specific_apps.rules)
2004478 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII (web_specific_apps.rules)
2004479 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE (web_specific_apps.rules)
2004492 - ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT (web_specific_apps.rules)
2004754 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT (web_specific_apps.rules)
2004755 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT (web_specific_apps.rules)
2004756 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT (web_specific_apps.rules)
2004757 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE (web_specific_apps.rules)
2004758 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII (web_specific_apps.rules)
2004759 - ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE (web_specific_apps.rules)
2004881 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT (web_specific_apps.rules)
2004882 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT (web_specific_apps.rules)
2004883 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT (web_specific_apps.rules)
2004884 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE (web_specific_apps.rules)
2004885 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII (web_specific_apps.rules)
2004886 - ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE (web_specific_apps.rules)
2005533 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE (web_specific_apps.rules)
2005534 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII (web_specific_apps.rules)
2005535 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE (web_specific_apps.rules)
2005536 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT (web_specific_apps.rules)
2005537 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT (web_specific_apps.rules)
2005538 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT (web_specific_apps.rules)
2005539 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE (web_specific_apps.rules)
2005540 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII (web_specific_apps.rules)
2005541 - ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE (web_specific_apps.rules)
2005567 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT (web_specific_apps.rules)
2005568 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT (web_specific_apps.rules)
2005569 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT (web_specific_apps.rules)
2005571 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII (web_specific_apps.rules)
2005572 - ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE (web_specific_apps.rules)
2006609 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT (web_specific_apps.rules)
2006610 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT (web_specific_apps.rules)
2006611 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT (web_specific_apps.rules)
2006612 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE (web_specific_apps.rules)
2006613 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII (web_specific_apps.rules)
2006614 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE (web_specific_apps.rules)
2006951 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT (web_specific_apps.rules)
2006952 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT (web_specific_apps.rules)
2006953 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT (web_specific_apps.rules)
2006954 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE (web_specific_apps.rules)
2006955 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII (web_specific_apps.rules)
2006956 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE (web_specific_apps.rules)
2006957 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT (web_specific_apps.rules)
2006958 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT (web_specific_apps.rules)
2006960 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE (web_specific_apps.rules)
2006961 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII (web_specific_apps.rules)
2006962 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE (web_specific_apps.rules)
2006963 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT (web_specific_apps.rules)
2006964 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT (web_specific_apps.rules)
2006965 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT (web_specific_apps.rules)
2006966 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE (web_specific_apps.rules)
2006967 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII (web_specific_apps.rules)
2006968 - ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE (web_specific_apps.rules)
2008872 - ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection (web_specific_apps.rules)
2008934 - ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection (web_specific_apps.rules)
2009709 - ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo) (web_specific_apps.rules)
2009710 - ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system) (web_specific_apps.rules)
2011555 - ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt (web_specific_apps.rules)
2011875 - ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
2011940 - ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt (web_specific_apps.rules)

Date: 
Tuesday, December 12, 2017 - 00:00