*********************** snort-2.4.0 etpro *********************** [***] Results from Oinkmaster started Mon Oct 14 10:45:46 2013 [***] [+++] Added rules: [+++] 2017585 - ET TROJAN Possible W32/KanKan tools.ini Request (trojan.rules) 2017586 - ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml Request (trojan.rules) 2017587 - ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon (mobile_malware.rules) 2017588 - ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon (mobile_malware.rules) 2017589 - ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check (current_events.rules) 2017590 - ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA (current_events.rules) [///] Modified active rules: [///] 2017572 - ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897 (web_client.rules) 2400000 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400001 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400002 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400003 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400004 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400005 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400006 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400007 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400008 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400009 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400010 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400011 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400012 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400013 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400014 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400015 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400016 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400017 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400018 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400019 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2400020 - ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules) 2402000 - ET DROP Dshield Block Listed Source (dshield.rules) 2402001 - ET DROP Dshield Block Listed Source (dshield.rules) [///] Modified inactive rules: [///] 2016993 - ET TROJAN Connection to AnubisNetworks Sinkhole IP (Possible Infected Host) (trojan.rules) [+++] Added non-rule lines: [+++] -> Added to drop.rules (2): # VERSION 2403 # Generated 2013-10-13 00:05:01 EDT -> Added to sid-msg.map (9): 2016993 || ET TROJAN Connection to AnubisNetworks Sinkhole IP (Possible Infected Host) 2017585 || ET TROJAN Possible W32/KanKan tools.ini Request || url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/ 2017586 || ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml Request || url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/ 2017587 || ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon || url,quequero.org/2013/09/android-opfake-malware-analysis/ 2017588 || ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon || url,quequero.org/2013/09/android-opfake-malware-analysis/ 2017589 || ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check || url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html 2017590 || ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA || url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ 2500072 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500073 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (37) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts [---] Removed non-rule lines: [---] -> Removed from drop.rules (2): # VERSION 2402 # Generated 2013-10-06 00:05:01 EDT -> Removed from sid-msg.map (19): 2016993 || ET TROJAN Connection to Annibus Sinkhole IP (Possible Infected Host) 2404148 || ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group 25) || url,spyeyetracker.abuse.ch || url,palevotracker.abuse.ch || url,zeustracker.abuse.ch || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404149 || ET CNC ZeusTracker/SpyeyeTracker Reported CnC Server UDP (group 25) || url,spyeyetracker.abuse.ch || url,palevotracker.abuse.ch || url,zeustracker.abuse.ch || url,doc.emergingthreats.net/bin/view/Main/BotCC 2520880 || ET TOR Known Tor Exit Node TCP Traffic (441) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520881 || ET TOR Known Tor Exit Node UDP Traffic (441) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520882 || ET TOR Known Tor Exit Node TCP Traffic (442) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520883 || ET TOR Known Tor Exit Node UDP Traffic (442) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520884 || ET TOR Known Tor Exit Node TCP Traffic (443) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520885 || ET TOR Known Tor Exit Node UDP Traffic (443) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520886 || ET TOR Known Tor Exit Node TCP Traffic (444) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520887 || ET TOR Known Tor Exit Node UDP Traffic (444) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520888 || ET TOR Known Tor Exit Node TCP Traffic (445) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520889 || ET TOR Known Tor Exit Node UDP Traffic (445) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520890 || ET TOR Known Tor Exit Node TCP Traffic (446) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520891 || ET TOR Known Tor Exit Node UDP Traffic (446) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520892 || ET TOR Known Tor Exit Node TCP Traffic (447) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520893 || ET TOR Known Tor Exit Node UDP Traffic (447) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520894 || ET TOR Known Tor Exit Node TCP Traffic (448) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520895 || ET TOR Known Tor Exit Node UDP Traffic (448) || url,doc.emergingthreats.net/bin/view/Main/TorRules