Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] Some signatures not appearing in the log

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 17 Apr 2014 19:43:53 +0000
I don’t think emerging threats uses the policies, so, I don’t see why setting that for the VRT set would affect the ET 
rules.


On Apr 17, 2014, at 3:31 PM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:


I mean to say we dont have a subscription for the paid signatures. We are on free set of signatures.

But I am waiting for the answer for my query.

Sent from Handheld

On 18-Apr-2014 12:21 am, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Sourcefire = VRT


On Apr 17, 2014, at 1:34 PM, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:


That reminds me to give additional information on my issue. Which is - I'm using the free set of signatures from ERT 
& Sourcefire. So in my case VRT is out of scope.

Regards,
Anshuman

Sent from Handheld

On 17-Apr-2014 5:37 pm, Conma <conma293 () gmail com<mailto:conma293 () gmail com>> wrote:


I thought that if you set the 'security' policy setting in pulled pork it only downloads VRT but this does not seem 
to be the case...

Sorry to ask another question on your thread but I seem to only be getting alert descriptions for some (I think 
predom vrt) rules, while a lot just say the stupid snort rule 1:2464454 thing....

Any guidance on this? Assumed that was from the Sid-MSG.map which pulled pork updates anyways?

Sent from my iPad

On 17/04/2014, at 7:55 pm, Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>> wrote:


Hi,



I was just referring to the latest signature Daily Ruleset update summary with my latest log for signature updates. 
I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE 
Antispywaremaster.com/Privacyprotector.com<http://Antispywaremaster.com/Privacyprotector.com> Fake AV Checkin 
(malware.rules)". If I am not mistaken ultimately all the rules should get downloaded no matter which rule state we 
use. Rule state would just enable or disable the rule depending upon which rule state is configured.



I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on Snort 
2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all other 
signatures it doesn’t look an issue with snort version, right? This is my test setup and it is used for learning 
purpose.



See below log extract from sid_changes.log.



Thank you in advance.



-=Begin Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-



New Rules

     ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088)

     ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196)

     ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197)

     ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080)

     ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082)

     ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081)

     ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083)

     ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396)

     ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (1:2018395)

     ET TROJAN Common Upatre Header Structure (1:2018394)

     ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397)

     ET TROJAN plasmabot Checkin (1:2018393)



Deleted Rules

     ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374)

     ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375)

     ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124)

     ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125)

     ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016)

     ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017)



Set Policy: security



Rule Totals

     New:-------12

     Deleted:---6

     Enabled:---6148

     Dropped:---0

     Disabled:--32295

     Total:-----38443



IP Blacklist Stats

     Total IPs:-----2590



-=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-





Regards,

Anshuman



-----Original Message-----
From: emerging-updates-bounces () lists emergingthreats net<mailto:emerging-updates-bounces () lists 
emergingthreats net> [mailto:emerging-updates-bounces () lists emergingthreats net] On Behalf Of Francis Trudeau
Sent: Thursday, April 17, 2014 4:28 AM
To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List
Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014



[***] Summary: [***]



6 new Open signatures, 16 new Pro (6/10).  CryptoDefense, Nuclear EK, InstallBrain, Hupigon.



Thanks:  Nathan Fowler, tdzmont, @EKWatcher



[+++]          Added rules:          [+++]



Open:



  2008282 - ET MALWARE 
Antispywaremaster.com/Privacyprotector.com<http://Antispywaremaster.com/Privacyprotector.com> Fake AV Checkin 
(malware.rules)

  2018393 - ET TROJAN plasmabot Checkin (trojan.rules)

  2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)

  2018395 - ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)

  2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert

(current_events.rules)

  2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)



Pro:



  2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)

  2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)

  2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)

  2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)

  2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)

  2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin

(trojan.rules)

  2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)

  2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin

(mobile_malware.rules)

  2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)

  2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014

(current_events.rules)





[///]     Modified active rules:     [///]



  2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure

(trojan.rules)

  2017714 - ET TROJAN PlugX Checkin (trojan.rules)

  2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)

  2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)

  2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response

(current_events.rules)

  2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2

(current_events.rules)

  2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)

  2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)





[---]         Removed rules:         [---]



  2003548 - ET MALWARE Privacyprotector.com<http://Privacyprotector.com> Fake Anti-Spyware Checkin

(malware.rules)

  2008282 - ET TROJAN Antispywaremaster.com<http://Antispywaremaster.com> Fake AV Checkin (trojan.rules) 
_______________________________________________

Emerging-updates mailing list

Emerging-updates () lists emergingthreats net<mailto:Emerging-updates () lists emergingthreats net>

https://lists.emergingthreats.net/mailman/listinfo/emerging-updates




"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private 
Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended 
to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the 
contents of this message is strictly prohibited. If you have received this electronic message in error please 
notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every 
reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you 
may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content 
checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of 
this message is strictly prohibited. If you have received this electronic message in error please notify the sender 
by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to 
minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of 
any malicious content in this e-mail. You should carry out your own malicious content checks before opening the 
e-mail or attachment."
www.cybage.com<http://www.cybage.com/>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net<mailto:Emerging-sigs () lists emergingthreats net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro 
http://www.emergingthreats.net<http://www.emergingthreats.net/>
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!





"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com/>


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: