Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulled Pork Not Enableing ET Rules

From: "Gibson, Nathan J. (HSC)" <Nathan-Gibson () ouhsc edu>
Date: Fri, 20 May 2011 17:33:48 -0500
Could anything in this list disable all ET rules.

1:17137            # # WEB-MISC HP Intelligent Management Center information disclosure attempt
1:529              # # NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt
1:2011714          # # ET CURRENT_EVENTS Hidden iframe Served by nginx - Likely Hostile Code
1:1990             # # CHAT MSN user search
1:2011009          # # ET CURRENT_EVENTS Java JAR PROPFIND via DAV possible alternative JVM exploit
1:540              # # CHAT MSN message
1:2010906          # # ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)
1:2008103          # # ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound
1:2008104          # # ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound
1:2008105          # # ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound
1:2008106          # # ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound
1:2008107          # # ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound
1:2008108          # # ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound
1:2008109          # # ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound
1:2008110          # # ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound
1:2000348          # # ET ATTACK RESPONSE IRC - Channel JOIN on non-std port
1:2001564          # # ET MALWARE MarketScore.com Spyware Proxied Traffic
1:2001562          # # ET USER_AGENTS MarketScore.com Spyware User Configuration and Setup Access
1:2001259          # # ET CHAT Yahoo IM file transfer request
1:2001858          # # ET USER_AGENTS Hotbar Spyware User Agent
1:2008210          # # ET USER_AGENTS Suspicious Misspelled Mozilla User-Agent (Mozila)
1:2003492          # # ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1:2000538          # # ET SCAN NMAP -sA (1)
1:2001253          # # ET CHAT Yahoo IM successful logon
1:2001254          # # ET CHAT Yahoo IM voicechat
1:2001255          # # ET CHAT Yahoo IM ping
1:2001256          # # ET CHAT Yahoo IM conference invitation
1:2001257          # # ET CHAT Yahoo IM conference logon success
1:2001258          # # ET CHAT Yahoo IM conference message
1:2001427          # # ET CHAT Yahoo IM Unavailable Status
1:2001260          # # ET CHAT Yahoo IM message
1:2001261          # # ET CHAT Yahoo IM successful chat join
1:2001262          # # ET CHAT Yahoo IM conference offer invitation
1:2001263          # # ET CHAT Yahoo IM conference request
1:2002659          # # ET CHAT Yahoo IM Client Install
1:2001044          # # ET Yahoo Briefcase Upload
1:5998             # # P2P Skype client login startup
1:5693             # # P2P Skype client start up get latest version attempt
1:5999             # # P2P Skype client login
1:2003287          # # ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)
1:2003286          # # ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)
1:2000369          # # ET P2P BitTorrent Announce
1:2008583          # # ET P2P BitTorrent DHT nodes reply
1:2000369          # # ET P2P BitTorrent Announce
1:2008585          # # ET P2P BitTorrent DHT announce_peers request
1:2008581          # # ET P2P BitTorrent DHT ping request
1:2008584          # # ET P2P BitTorrent DHT get_peers request
1:2000357          # # ET P2P BitTorrent Traffic
1:2181             # # P2P BitTorrent transfer
1:2002151          # # ET GAMES Battle.net error message
1:2002150          # # ET GAMES Battle.net informational message
1:2002118          # # ET GAMES Battle.net user in channel
1:2002144          # # ET GAMES Battle.net joined channel
1:2002115          # # ET GAMES Battle.net failed account login (OLS)\: wrong password
1:2002102          # # ET GAMES Battle.net Brood War login
1:2002139          # # ET GAMES World of Warcraft failed logon
1:2003089          # # ET GAMES STEAM Connection (v2)
1:2002119          # # ET GAMES Battle.net outgoing chat message
1:2002140          # # ET GAMES Battle.net user joined channel
1:2002117          # # ET GAMES Battle.net connection reset (possible IP-Ban)
1:2002855          # # ET GAMES Blizzard Downloader
1:2002141          # # ET GAMES Battle.net user left channel
1:2010347          # # ET TROJAN Fake/Rogue AV Landing Page Encountered
1:2002894          # # ET VIRUS W32.Nugache SMTP Inbound
1:12592            # # SMTP Recipient arbitrary command injection attempt
1:2050             # # SQL version overflow attempt
1:2001034          # # ET MALWARE Fun Web Products Agent Traffic
1:2011178          # # ET CURRENT_EVENTS FakeAV Download with Cookie WinSec
1:2009701          # # ET CURRENT_EVENTS DNS BIND 9 Dynamic Update DoS attempt
1:2011766          # # ET SCAN Sipvicious User-Agent Detected (sundayddr)
1:2011332          # # ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit
1:2011339          # # ET CURRENT_EVENTS PHARMSPAM image requested layout viagra_super_active.jpg
1:2007805          # # ET TROJAN Blink.com related Backdoor Checkin
1:2011222          # # ET CURRENT_EVENTS Malvertising drive by kit encountered - bmb cookie
1:2011373          # # ET CURRENT_EVENTS FakeAV client requesting fake scanner page
1:2011356          # # ET USER_AGENTS SeaPort User-Agent Detected Likely Bing reporting user activity
1:2011460          # # ET CURRENT_EVENTS FAKEAV client requesting fake scanner page 2
1:2011409          # # ET CURRENT_EVENTS DNS Query for Suspicious .co.cc Domain
1:2011408          # # ET CURRENT_EVENTS DNS Query for Suspicious .com.cn Domain
1:2011420          # # ET CURRENT_EVENTS FAKEAV client requesting image - sector.hdd.png
1:2008547          # # ET TROJAN PECompact2 Packed Binary - Likely Hostile
1:2011405          # # ET TROJAN sweetcandy.biz related POST ch=1
1:2009031          # # ET TROJAN Possible Armitage Loader Request
1:2011411          # # ET CURRENT_EVENTS DNS Query for Suspicious .co.kr Domain
1:17246            # # SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt
1:17317            # # SPECIFIC-THREATS OpenSSH sshd Identical Blocks DOS attempt
1:17297            # # SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer 
overflow attempt
1:2007962          # # ET TROJAN Vipdataend C&C Traffic - Checkin
1:2011546          # # ET CURRENT_EVENTS FAKEAV client requesting fake scanner page
1:17520            # # EXPLOIT CA ARCserve Backup DB Engine Denial of Service
1:2007964          # # ET TROJAN Vipdataend C&C Traffic - Server Status OK
1:2011374          # # ET CURRENT_EVENTS HTTP contacting a suspicious *.co.cc domain
1:2011820          # # ET TROJAN Fake AV CnC Checkin cycle_report
1:2011375          # # ET CURRENT_EVENTS HTTP contacting a suspicious *.cz.cc domain
1:2011912          # # ET CURRENT_EVENTS Possible Fake AV Checkin
1:2011970          # # ET CURRENT_EVENTS SWF served from /tmp/
1:2011921          # # ET CURRENT_EVENTS FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon
1:2011923          # # ET CURRENT_EVENTS FAKEAV CryptMEN - inst.exe Payload Download
1:2011920          # # ET CURRENT_EVENTS FAKEAV CryptMEN - 302 Redirect
1:2011955          # # ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious lib.pdf
1:2011419          # # ET CURRENT_EVENTS FAKEAV landing page - sector.hdd.png no-repeat
1:2011468          # # ET CURRENT_EVENTS MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit
1:2011469          # # ET CURRENT_EVENTS MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit
1:2011495          # # ET CURRENT_EVENTS Executable Download named to be .com FQDN
1:2011991          # # ET CURRENT_EVENTS FAKEAV Gemini systempack exe download
1:2011917          # # ET CURRENT_EVENTS FAKEAV Gemini - JavaScript Redirection To Scanning Page
1:2011918          # # ET CURRENT_EVENTS FAKEAV Gemini - JavaScript Redirection To FakeAV Binary
1:2011066          # # ET CURRENT_EVENTS TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV
1:2008575          # # ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile
129:1-129:19
1:15587
137:1


From: Gibson, Nathan J. (HSC)
Sent: Friday, May 20, 2011 5:26 PM
To: 'Eoin Miller'; JJC
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulled Pork Not Enableing ET Rules

Okay I took Eion's advice and removed all the catagories from my disablesid.conf and put them in the pulledpork.conf 
ignore list. However it still isn't enableing my ET rules. Everything else in my orginal e-mail remains the same. There 
has to be something in my disablesid.conf that is disableing all the ET rules. I just can figure out what it is.

From: Gibson, Nathan J. (HSC)
Sent: Friday, May 20, 2011 3:24 PM
To: 'Eoin Miller'; JJC
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulled Pork Not Enableing ET Rules

I am not specific a security policy (per my documentation I am providing)

. I have read through the documentation in the enablisid and disablesid. I am obviously missing something because I 
felt I followed them to a "T".....That's why I included all the documentation in the e-mail so someone can look at them 
and tell me what I am missing.

From: Eoin Miller [mailto:eoin.miller () trojanedbinaries com]
Sent: Friday, May 20, 2011 3:15 PM
To: JJC
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulled Pork Not Enableing ET Rules

On 5/20/2011 8:13 PM, JJC wrote:
Actually, the default behavior should be to leave the rules in the state that they were in in the original source 
files.  Of course if you specify a security policy base (Security, Balanced, Connectivity) then it will modify the 
rulestate based on the metadata.

JJC

Just put what you want to omit into the ignore list, otherwise the default behavior is to enable the rule.

-- Eoin

Meant to say rules file. Not sid specifically.


-- Eoin

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: