*********************** snort-2.4.0 open *********************** [***] Results from Oinkmaster started Tue Apr 16 19:57:34 2013 [***] [+++] Added rules: [+++] 2015006 - ET DELETED SofosFO exploit kit jar download (emerging-deleted.rules) 2015007 - ET DELETED SofosFO exploit kit version check (emerging-deleted.rules) 2015009 - ET DELETED SofosFO exploit kit payload download (emerging-deleted.rules) 2015750 - ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (emerging-deleted.rules) 2015751 - ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2) (emerging-deleted.rules) 2016046 - ET DELETED SofosFO/NeoSploit possible second stage landing page (2) (emerging-deleted.rules) 2016241 - ET DELETED SofosFO - Landing Page (emerging-deleted.rules) 2016758 - ET POLICY Bitcoin Mining Extensions Header (emerging-policy.rules) 2016759 - ET TROJAN Win32/Redyms.A Checkin (emerging-trojan.rules) 2016760 - ET WEB_SERVER WebShell - PHPShell - Comment (emerging-web_server.rules) 2016761 - ET WEB_SERVER WebShell - PHPShell - Haxplorer URI (emerging-web_server.rules) 2016762 - ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI (emerging-web_server.rules) [///] Modified active rules: [///] 2009532 - ET TROJAN BackDoor-EGB Check-in (emerging-trojan.rules) 2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (emerging-policy.rules) 2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (emerging-policy.rules) 2016070 - ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing (emerging-current_events.rules) 2016706 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) (emerging-current_events.rules) 2402000 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2402001 - ET DROP Dshield Block Listed Source (emerging-dshield.rules) 2403300 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403301 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403302 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403303 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403304 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403305 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403306 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403307 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403308 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403309 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403310 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403311 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403312 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403313 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403314 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403315 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403316 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403317 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) 2403318 - ET CIARMY Collective Intelligence Security Poor Reputation IP (TCP) (emerging-ciarmy.rules) 2403319 - ET CIARMY Collective Intelligence Security Poor Reputation IP (UDP) (emerging-ciarmy.rules) [---] Removed rules: [---] 2015006 - ET CURRENT_EVENTS SofosFO exploit kit jar download (emerging-current_events.rules) 2015007 - ET CURRENT_EVENTS SofosFO exploit kit version check (emerging-current_events.rules) 2015009 - ET CURRENT_EVENTS SofosFO exploit kit payload download (emerging-current_events.rules) 2015750 - ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 (emerging-current_events.rules) 2015751 - ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 (2) (emerging-current_events.rules) 2016046 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (2) (emerging-current_events.rules) 2016241 - ET CURRENT_EVENTS SofosFO - Landing Page (emerging-current_events.rules) [+++] Added non-rule lines: [+++] -> Added to emerging-ciarmy.rules (1): # Version 218 -> Added to sid-msg.map (15): 2009532 || ET TROJAN BackDoor-EGB Check-in || url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060 || url,doc.emergingthreats.net/2009532 2015006 || ET DELETED SofosFO exploit kit jar download 2015007 || ET DELETED SofosFO exploit kit version check 2015009 || ET DELETED SofosFO exploit kit payload download 2015750 || ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 2015751 || ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2) 2016046 || ET DELETED SofosFO/NeoSploit possible second stage landing page (2) 2016241 || ET DELETED SofosFO - Landing Page 2016758 || ET POLICY Bitcoin Mining Extensions Header 2016759 || ET TROJAN Win32/Redyms.A Checkin 2016760 || ET WEB_SERVER WebShell - PHPShell - Comment 2016761 || ET WEB_SERVER WebShell - PHPShell - Haxplorer URI 2016762 || ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI 2520162 || ET TOR Known Tor Exit Node TCP Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules 2520163 || ET TOR Known Tor Exit Node UDP Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules [---] Removed non-rule lines: [---] -> Removed from emerging-ciarmy.rules (1): # Version 217 -> Removed from sid-msg.map (12): 2009532 || ET TROJAN Unknown Trojan Check-in (3) || url,doc.emergingthreats.net/2009532 2015006 || ET CURRENT_EVENTS SofosFO exploit kit jar download 2015007 || ET CURRENT_EVENTS SofosFO exploit kit version check 2015009 || ET CURRENT_EVENTS SofosFO exploit kit payload download 2015750 || ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 2015751 || ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 (2) 2016046 || ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (2) 2016241 || ET CURRENT_EVENTS SofosFO - Landing Page 2404148 || ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group 25) || url,spyeyetracker.abuse.ch || url,palevotracker.abuse.ch || url,zeustracker.abuse.ch || url,doc.emergingthreats.net/bin/view/Main/BotCC 2404149 || ET CNC ZeusTracker/SpyeyeTracker Reported CnC Server UDP (group 25) || url,spyeyetracker.abuse.ch || url,palevotracker.abuse.ch || url,zeustracker.abuse.ch || url,doc.emergingthreats.net/bin/view/Main/BotCC 2500106 || ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts 2500107 || ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (54) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts