Snort mailing list archives
Re: [Emerging-Sigs] Some signatures not appearing in the log
From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Thu, 17 Apr 2014 19:56:39 +0000
Then what could be the possible reason for not getting the said signature? Sent from Handheld On 18-Apr-2014 1:14 am, "Joel Esler (jesler)" <jesler () cisco com> wrote: I don’t think emerging threats uses the policies, so, I don’t see why setting that for the VRT set would affect the ET rules. On Apr 17, 2014, at 3:31 PM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote: I mean to say we dont have a subscription for the paid signatures. We are on free set of signatures. But I am waiting for the answer for my query. Sent from Handheld On 18-Apr-2014 12:21 am, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote: Sourcefire = VRT On Apr 17, 2014, at 1:34 PM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:
That reminds me to give additional information on my issue. Which is - I'm using the free set of signatures from ERT & Sourcefire. So in my case VRT is out of scope. Regards, Anshuman Sent from Handheld On 17-Apr-2014 5:37 pm, Conma <conma293 () gmail com<mailto:conma293 () gmail com>> wrote:I thought that if you set the 'security' policy setting in pulled pork it only downloads VRT but this does not seem to be the case... Sorry to ask another question on your thread but I seem to only be getting alert descriptions for some (I think predom vrt) rules, while a lot just say the stupid snort rule 1:2464454 thing.... Any guidance on this? Assumed that was from the Sid-MSG.map which pulled pork updates anyways? Sent from my iPad On 17/04/2014, at 7:55 pm, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:Hi, I was just referring to the latest signature Daily Ruleset update summary with my latest log for signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com<http://Antispywaremaster.com/Privacyprotector.com> Fake AV Checkin (malware.rules)". If I am not mistaken ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just enable or disable the rule depending upon which rule state is configured. I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on Snort 2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all other signatures it doesn’t look an issue with snort version, right? This is my test setup and it is used for learning purpose. See below log extract from sid_changes.log. Thank you in advance. -=Begin Changes Logged for Thu Apr 17 07:20:33 2014 GMT=- New Rules ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088) ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196) ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197) ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080) ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082) ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081) ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083) ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396) ET TROJAN Possible Kelihos.F EXE Download Common Structure 2 (1:2018395) ET TROJAN Common Upatre Header Structure (1:2018394) ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397) ET TROJAN plasmabot Checkin (1:2018393) Deleted Rules ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374) ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375) ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124) ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125) ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016) ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017) Set Policy: security Rule Totals New:-------12 Deleted:---6 Enabled:---6148 Dropped:---0 Disabled:--32295 Total:-----38443 IP Blacklist Stats Total IPs:-----2590 -=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=- Regards, Anshuman -----Original Message----- From: emerging-updates-bounces () lists emergingthreats net<mailto:emerging-updates-bounces () lists emergingthreats net> [mailto:emerging-updates-bounces () lists emergingthreats net] On Behalf Of Francis Trudeau Sent: Thursday, April 17, 2014 4:28 AM To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014 [***] Summary: [***] 6 new Open signatures, 16 new Pro (6/10). CryptoDefense, Nuclear EK, InstallBrain, Hupigon. Thanks: Nathan Fowler, tdzmont, @EKWatcher [+++] Added rules: [+++] Open: 2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com<http://Antispywaremaster.com/Privacyprotector.com> Fake AV Checkin (malware.rules) 2018393 - ET TROJAN plasmabot Checkin (trojan.rules) 2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules) 2018395 - ET TROJAN Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules) 2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (current_events.rules) 2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules) Pro: 2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules) 2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules) 2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules) 2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules) 2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules) 2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin (trojan.rules) 2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules) 2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin (mobile_malware.rules) 2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules) 2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014 (current_events.rules) [///] Modified active rules: [///] 2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure (trojan.rules) 2017714 - ET TROJAN PlugX Checkin (trojan.rules) 2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules) 2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules) 2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response (current_events.rules) 2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2 (current_events.rules) 2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules) 2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules) [---] Removed rules: [---] 2003548 - ET MALWARE Privacyprotector.com<http://Privacyprotector.com> Fake Anti-Spyware Checkin (malware.rules) 2008282 - ET TROJAN Antispywaremaster.com<http://Antispywaremaster.com> Fake AV Checkin (trojan.rules) _______________________________________________ Emerging-updates mailing list Emerging-updates () lists emergingthreats net<mailto:Emerging-updates () lists emergingthreats net> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/> ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/> _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net<mailto:Emerging-sigs () lists emergingthreats net> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net<http://www.emergingthreats.net/> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some signatures not appearing in the log Anshuman Anil Deshmukh (Apr 17)
- Re: Some signatures not appearing in the log Conma (Apr 17)
- <Possible follow-ups>
- Re: Some signatures not appearing in the log Anshuman Anil Deshmukh (Apr 17)
- Re: [Emerging-Sigs] Some signatures not appearing in the log Joel Esler (jesler) (Apr 17)
- Re: [Emerging-Sigs] Some signatures not appearing in the log Anshuman Anil Deshmukh (Apr 17)
- Re: [Emerging-Sigs] Some signatures not appearing in the log Joel Esler (jesler) (Apr 17)
- Re: [Emerging-Sigs] Some signatures not appearing in the log Anshuman Anil Deshmukh (Apr 17)
- Re: [Emerging-Sigs] Some signatures not appearing in the log Conma (Apr 18)
- Re: [Emerging-Sigs] Some signatures not appearing in the log Joel Esler (jesler) (Apr 17)