http://doc.emergingthreats.net/bin/view/Main The web for users, groups and offices. TWiki is an Enterprise Collaboration Platform. en-us Copyright 2008 Emerging Threats and Contributing Authors Emerging Admin [jonkman@emergingthreats.net] The contributing authors of TWiki TWiki http://doc.emergingthreats.net/bin/view/Main http://doc.emergingthreats.net/pub/TWiki/TWikiLogos/T-logo-140x40-t.gif http://doc.emergingthreats.net/bin/view/Main/2008468 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN LDPinch Checkin Flowbit set"; flow:established,to server; content:"POST "; depth:5; uricontent ... (last changed by TWikiGuest) 2008-07-24T19:05:03Z guest http://doc.emergingthreats.net/bin/view/Main/2008469 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN LDPinch Checkin v2"; flowbits:isset,ET.PINCH; flow:established,to server; content:"a "; nocase ... (last changed by TWikiGuest) 2008-07-24T19:05:03Z guest http://doc.emergingthreats.net/bin/view/Main/2008470 alert udp any 53 $HOME NET any (msg:"ET CURRENT EVENTS Excessive NXDOMAIN responses Possible DNS Poisoning Attempt Backscatter"; byte test:1, ,128,2; byte test ... (last changed by TWikiGuest) 2008-07-24T19:05:03Z guest http://doc.emergingthreats.net/bin/view/Main/2008446 alert udp any 53 $DNS SERVERS any (msg:"ET CURRENT EVENTS Excessive DNS Responses with 1 or more RR's (100 in 10 seconds) possible Cache Poisoning Attempt"; ... (last changed by TWikiGuest) 2008-07-24T16:19:45Z guest http://doc.emergingthreats.net/bin/view/Main/2008466 alert udp any 53 $HOME NET any (msg:"ET CURRENT EVENTS Excessive NXDOMAIN Responses (not authoritative)"; byte test:1, ,128,2; byte test:1, ,3, 1,relative; threshold ... (last changed by TWikiGuest) 2008-07-24T15:52:36Z guest http://doc.emergingthreats.net/bin/view/Main/2008077 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to server; content: ... (last changed by TWikiGuest) 2008-07-24T15:44:46Z guest http://doc.emergingthreats.net/bin/view/Main/2008467 alert tcp $EXTERNAL NET any $HOME NET $HTTP PORTS (msg:"ET WEB Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to server; uricontent ... (last changed by TWikiGuest) 2008-07-24T13:48:51Z guest http://doc.emergingthreats.net/bin/view/Main/2008176 alert tcp $EXTERNAL NET any $HOME NET $HTTP PORTS (msg:"ET WEB Possible SQL Injection (exec)"; flow:established,to server; uricontent:"exec("; nocase; classtype ... (last changed by TWikiGuest) 2008-07-24T13:48:51Z guest http://doc.emergingthreats.net/bin/view/Main/2008175 alert tcp $EXTERNAL NET any $HOME NET $HTTP PORTS (msg:"ET WEB Possible SQL Injection (varchar)"; flow:established,to server; uricontent:"varchar("; nocase; classtype ... (last changed by TWikiGuest) 2008-07-24T13:48:51Z guest http://doc.emergingthreats.net/bin/view/Main/2008465 alert udp $HOME NET 1024: $EXTERNAL NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C C traffic"; content:" 6C 3C " ... (last changed by TWikiGuest) 2008-07-23T17:17:48Z guest http://doc.emergingthreats.net/bin/view/Main/2001854 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE EZULA Spyware User Agent"; flow: established,to server; content:"User Agent\: ezula"; classtype ... (last changed by TWikiGuest) 2008-07-23T14:00:23Z guest http://doc.emergingthreats.net/bin/view/Main/2008372 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Adsincontext.com Related Spyware User Agent (Connector v1.2)"; flow: established; content:"User ... (last changed by TWikiGuest) 2008-07-23T14:00:23Z guest http://doc.emergingthreats.net/bin/view/Main/2001852 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE 404Search Spyware User Agent"; flow:established,to server; content:"User Agent\: 404search"; ... (last changed by TWikiGuest) 2008-07-23T14:00:23Z guest http://doc.emergingthreats.net/bin/view/Main/2008457 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Deepdo Toolbar User Agent (FavUpdate)"; flow:established,to server; content:" 0d 0a User Agent ... (last changed by TWikiGuest) 2008-07-23T14:00:23Z guest http://doc.emergingthreats.net/bin/view/Main/2008371 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Likely Ad ware installation phoning home (success and NSISDL User Agent)"; flow: established ... (last changed by TWikiGuest) 2008-07-23T14:00:23Z guest http://doc.emergingthreats.net/bin/view/Main/2008423 alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (CFS Agent)"; flow:established,to server; content:" 0d 0a User Agent\: ... (last changed by TWikiGuest) 2008-07-23T14:00:23Z guest