Security Pattern Updates

This is a complete list of modified, newly added or deleted rules for the latest Astaro IPS Pattern Up2date. Our IPS Pattern Up2dates are automatically executed on your appliance if you have applied this rule via your WebAdmin.

We suggest that you set the pattern download and installation intervals to 15 minutes, which is the default. This option can be found under the following path: Webadmin >> Management >> Up2Date >> Pattern download/installation interval.

If this has already been set, there is no need to make any further adjustments.
 

 


Date: 2011-02-10

New rules:
18458 < -> BOTNET-CNC Night Dragon initial beacon (botnet-cnc.rules, High)
18459 < -> BOTNET-CNC Night Dragon keepalive message (botnet-cnc.rules, High)
Updated rules:
15357 < -> WEB-CLIENT Adobe PDF JBIG2 remote code execution attempt (web-client.rules, High)
 


Date: 2011-02-08

New rules:
18336 < -> BLACKLIST USER-AGENT known malicious user-agent string gbot/2.3 (blacklist.rules, High)
18337 < -> BLACKLIST USER-AGENT known malicious user-agent string iamx/3.11 (blacklist.rules, High)
18338 < -> BLACKLIST USER-AGENT known malicious user-agent string NSISDL/1.2 (blacklist.rules, High)
18339 < -> BLACKLIST USER-AGENT known malicious user-agent string NSIS_Inetc (blacklist.rules, High)
18340 < -> BLACKLIST USER-AGENT known malicious user-agent string ClickAdsByIE 0.7.5 (blacklist.rules, High)
18341 < -> BLACKLIST USER-AGENT known malicious user-agent string UtilMind HTTPGet (blacklist.rules, High)
18342 < -> BLACKLIST USER-AGENT known malicious user-agent string NSIS_DOWNLOAD (blacklist.rules, High)
18343 < -> BLACKLIST USER-AGENT known malicious user-agent string WSEnrichment (blacklist.rules, High)
18344 < -> BLACKLIST USER-AGENT known malicious user-agent string FSD (blacklist.rules, High)
18345 < -> BLACKLIST USER-AGENT known malicious user-agent string Macrovision_DM_2.4.15 (blacklist.rules, High)
18346 < -> BLACKLIST USER-AGENT known malicious user-agent string GPRecover (blacklist.rules, High)
18347 < -> BLACKLIST USER-AGENT known malicious user-agent string AutoIt (blacklist.rules, High)
18348 < -> BLACKLIST USER-AGENT known malicious user-agent string Opera/9.80 Pesto/2.2.15 (blacklist.rules, High)
18349 < -> BLACKLIST USER-AGENT known malicious user-agent string Flipopia (blacklist.rules, High)
18350 < -> BLACKLIST USER-AGENT known malicious user-agent string GabPath (blacklist.rules, High)
18351 < -> BLACKLIST USER-AGENT known malicious user-agent string GPUpdater (blacklist.rules, High)
18352 < -> BLACKLIST USER-AGENT known malicious user-agent string PinballCorp-BSAI/VER_STR_COMMA (blacklist.rules, High)
18353 < -> BLACKLIST USER-AGENT known malicious user-agent string SelectRebates (blacklist.rules, High)
18354 < -> BLACKLIST USER-AGENT known malicious user-agent string opera/8.11 (blacklist.rules, High)
18355 < -> BLACKLIST USER-AGENT known malicious user-agent string Se2011 (blacklist.rules, High)
18356 < -> BLACKLIST USER-AGENT known malicious user-agent string random (blacklist.rules, High)
18357 < -> BLACKLIST USER-AGENT known malicious user-agent string Setup Factory (blacklist.rules, High)
18358 < -> BLACKLIST USER-AGENT known malicious user-agent string NSIS_INETLOAD (blacklist.rules, High)
18359 < -> BLACKLIST USER-AGENT known malicious user-agent string Shareaza (blacklist.rules, High)
18360 < -> BLACKLIST USER-AGENT known malicious user-agent string Oncues (blacklist.rules, High)
18361 < -> BLACKLIST USER-AGENT known malicious user-agent string Downloader1.1 (blacklist.rules, High)
18362 < -> BLACKLIST USER-AGENT known malicious user-agent string Search Toolbar 1.1 (blacklist.rules, High)
18363 < -> BLACKLIST USER-AGENT known malicious user-agent string GPRecover (blacklist.rules, High)
18364 < -> BLACKLIST USER-AGENT known malicious user-agent string msndown (blacklist.rules, High)
18365 < -> BLACKLIST USER-AGENT known malicious user-agent string Agentcc (blacklist.rules, High)
18366 < -> BLACKLIST USER-AGENT known malicious user-agent string OCInstaller (blacklist.rules, High)
18367 < -> BLACKLIST USER-AGENT known malicious user-agent string FPRecover (blacklist.rules, High)
18368 < -> BLACKLIST USER-AGENT known malicious user-agent string Our_Agent (blacklist.rules, High)
18369 < -> BLACKLIST USER-AGENT known malicious user-agent string iexp-get (blacklist.rules, High)
18370 < -> BLACKLIST USER-AGENT known malicious user-agent string Mozilla Windows MSIE (blacklist.rules, High)
18371 < -> BLACKLIST USER-AGENT known malicious user-agent string QvodDown (blacklist.rules, High)
18372 < -> BLACKLIST USER-AGENT known malicious user-agent string StubInstaller (blacklist.rules, High)
18373 < -> BLACKLIST USER-AGENT known malicious user-agent string Installer (blacklist.rules, High)
18374 < -> BLACKLIST USER-AGENT known malicious user-agent string MSDN SurfBear (blacklist.rules, High)
18375 < -> BLACKLIST USER-AGENT known malicious user-agent string HTTP Wininet (blacklist.rules, High)
18376 < -> BLACKLIST USER-AGENT known malicious user-agent string Trololo (blacklist.rules, High)
18377 < -> BLACKLIST USER-AGENT known malicious user-agent string malware (blacklist.rules, High)
18378 < -> BLACKLIST USER-AGENT known malicious user-agent string AutoHotkey (blacklist.rules, High)
18379 < -> BLACKLIST USER-AGENT known malicious user-agent string AskInstallChecker (blacklist.rules, High)
18380 < -> BLACKLIST USER-AGENT known malicious user-agent string FPUpdater (blacklist.rules, High)
18381 < -> BLACKLIST USER-AGENT known malicious user-agent string Travel Update (blacklist.rules, High)
18382 < -> BLACKLIST USER-AGENT known malicious user-agent string WMUpdate (blacklist.rules, High)
18383 < -> BLACKLIST USER-AGENT known malicious user-agent string GPInstaller (blacklist.rules, High)
18384 < -> BLACKLIST USER-AGENT known malicious user-agent string Install Stub (blacklist.rules, High)
18385 < -> BLACKLIST USER-AGENT known malicious user-agent string HTTPCSDCENTER (blacklist.rules, High)
18386 < -> BLACKLIST USER-AGENT known malicious user-agent string AHTTPConnection (blacklist.rules, High)
18387 < -> BLACKLIST USER-AGENT known malicious user-agent string dwplayer (blacklist.rules, High)
18388 < -> BLACKLIST USER-AGENT known malicious user-agent string RookIE/1.0 (blacklist.rules, High)
18389 < -> BLACKLIST USER-AGENT known malicious user-agent string 3653Client (blacklist.rules, High)
18390 < -> BLACKLIST USER-AGENT known malicious user-agent string Delphi 5.x (blacklist.rules, High)
18391 < -> BLACKLIST USER-AGENT known malicious user-agent string MyLove (blacklist.rules, High)
18392 < -> BLACKLIST USER-AGENT known malicious user-agent string qixi (blacklist.rules, High)
18393 < -> BLACKLIST USER-AGENT known malicious user-agent string vyre32 (blacklist.rules, High)
18394 < -> BLACKLIST USER-AGENT known malicious user-agent string OCRecover (blacklist.rules, High)
18395 < -> BLACKLIST USER-AGENT known malicious user-agent string Duckling/1.0 (blacklist.rules, High)
18396 < -> WEB-CLIENT Windows Hypervisor denial of service vfd download attempt (web-client.rules, High)
18397 < -> MISC HP DDMI Agent spoofing – command execution (misc.rules, High)
Updated rules:
3535 < -> WEB-CLIENT GIF transfer (web-client.rules, Low)
3551 < -> WEB-CLIENT .hta download attempt (web-client.rules, Low)
3633 < -> WEB-CLIENT bitmap transfer (web-client.rules, Low)
4194 < -> WEB-CLIENT multipacket CBO CBL CBM file transfer start (web-client.rules, Low)
4678 < -> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low)
5740 < -> WEB-CLIENT Microsoft HTML help workshop file .hhp download attempt (web-client.rules, Low)
5741 < -> WEB-CLIENT Microsoft HTML help workshop buffer overflow attempt (web-client.rules, High)
6688 < -> WEB-CLIENT PNG file transfer (web-client.rules, Low)
9845 < -> WEB-CLIENT M3U File Download Detected (web-client.rules, Low)
13465 < -> WEB-CLIENT Microsoft Works file download request (web-client.rules, Low)
13515 < -> WEB-CLIENT Quicktime user agent (web-client.rules, Low)
13584 < -> WEB-CLIENT csv file download request (web-client.rules, Low)
13801 < -> WEB-CLIENT RTF file download (web-client.rules, Low)
13911 < -> WEB-CLIENT Microsoft search file download attempt (web-client.rules, Low)
13982 < -> WEB-CLIENT Microsoft Powerpoint file download attempt (web-client.rules, Low)
13983 < -> WEB-CLIENT Microsoft Office eps file download (web-client.rules, Low)
14017 < -> WEB-CLIENT MPEG Layer 3 playlist file request (web-client.rules, Low)
14018 < -> WEB-CLIENT PLS multimedia playlist file request (web-client.rules, Low)
14086 < -> BACKDOOR Adware.Win32.Agent.BM runtime detection 1 (backdoor.rules, High)
14087 < -> BACKDOOR Adware.Win32.Agent.BM runtime detection 2 (backdoor.rules, High)
15123 < -> WEB-CLIENT Rich Text Format file request (web-client.rules, Low)
15184 < -> CHAT MSN messenger http link transmission attempt (chat.rules, High)
15294 < -> WEB-CLIENT Microsoft Visio file download request (web-client.rules, Low)
15426 < -> WEB-CLIENT MAKI file request (web-client.rules, Low)
15463 < -> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15464 < -> WEB-CLIENT Microsoft Excel file request (web-client.rules, Low)
15471 < -> WEB-CLIENT asp file upload (web-client.rules, Low)
15516 < -> WEB-CLIENT AVI multimedia file request (web-client.rules, Low)
15586 < -> WEB-CLIENT Powerpoint file download request (web-client.rules, Low)
15587 < -> WEB-CLIENT Word file download request (web-client.rules, Low)
15865 < -> WEB-CLIENT MP4 file request (web-client.rules, Low)
15921 < -> WEB-CLIENT Microsoft media format file download request (web-client.rules, Low)
15922 < -> WEB-CLIENT mp3 file download request (web-client.rules, Low)
15945 < -> WEB-CLIENT RSS file download request (web-client.rules, Low)
16143 < -> WEB-CLIENT Microsoft asf file download (web-client.rules, Low)
16219 < -> WEB-CLIENT Adobe Director file format transfer (web-client.rules, Low)
16425 < -> WEB-CLIENT request for Portable Executable binary file (web-client.rules, Low)
16473 < -> WEB-CLIENT Microsoft Windows Movie Maker project file download request (web-client.rules, Low)
16474 < -> WEB-CLIENT Microsoft Compound File Binary v3 file download (web-client.rules, Low)
16475 < -> WEB-CLIENT Microsoft Compound File Binary v4 file download (web-client.rules, Low)
16476 < -> WEB-CLIENT Microsoft .MSProducer file download request (web-client.rules, Low)
16477 < -> WEB-CLIENT Microsoft .MSProducerZ file download request (web-client.rules, Low)
16478 < -> WEB-CLIENT Microsoft .MSProducerBF file download request (web-client.rules, Low)
16691 < -> WEB-CLIENT PLF playlist file download request (web-client.rules, Low)
17116 < -> WEB-CLIENT asx file download request (web-client.rules, Low)
17229 < -> WEB-CLIENT Tiff file download – little-endian (web-client.rules, Low)
17230 < -> WEB-CLIENT Tiff file download – big-endian (web-client.rules, Low)
17241 < -> WEB-CLIENT Microsoft wmv file download request (web-client.rules, Low)
17259 < -> WEB-CLIENT .mov file request (web-client.rules, Low)
17314 < -> WEB-CLIENT OLE Document file download (web-client.rules, Low)
17359 < -> WEB-CLIENT xbm image file download request (web-client.rules, Low)
17366 < -> WEB-CLIENT Microsoft Help Workshop HPJ OPTIONS section buffer overflow attempt (web-client.rules, High)
17394 < -> WEB-CLIENT GIF file download request (web-client.rules, Low)
17426 < -> WEB-CLIENT RAT file download request (web-client.rules, Low)
17491 < -> SPECIFIC-THREATS Microsoft Word mso.dll LsCreateLine memory corruption attempt (specific-threats.rules, High)
17547 < -> WEB-CLIENT Apple Quicktime SMIL transfer (web-client.rules, Low)
17552 < -> WEB-CLIENT Adobe Pagemaker file request (web-client.rules, Low)
17600 < -> WEB-CLIENT .xul document retrieval (web-client.rules, Low)
17751 < -> WEB-CLIENT OpenType Font file download request (web-client.rules, Low)
17809 < -> WEB-CLIENT quicktime movie file transfer (web-client.rules, Low)
18196 < -> WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt (web-client.rules, High)
18240 < -> WEB-CLIENT Microsoft Internet Explorer CSS importer use-after-free attempt (web-client.rules, High)
18243 < -> SPECIFIC-THREATS Microsoft Windows 7 IIS7.5 FTPSVC buffer overflow attempt (specific-threats.rules, High)
18265 < -> WEB-CLIENT Microsoft Office thumbnail bitmap invalid biClrUsed attempt (web-client.rules, High)
18335 < -> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High)

 


Date: 2011-02-01

New rules:
18321 < -> WEB-ACTIVEX SonicWall Aventail EPInterrogator ActiveX clsid access (web-activex.rules, High)
18322 < -> WEB-ACTIVEX SonicWall Aventail EPInterrogator ActiveX function call access (web-activex.rules, High)
18323 < -> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX clsid access (web-activex.rules, High)
18324 < -> WEB-ACTIVEX SonicWall Aventail EPInstaller ActiveX function call access (web-activex.rules, High)
18325 < -> WEB-ACTIVEX Image Viewer CP Gold 6 ActiveX clsid access (web-activex.rules, High)
18326 < -> FTP ProFTPD mod_site_misc module directory traversal attempt (ftp.rules, High)
18327 < -> SCADA Kingview HMI heap overflow attempt (scada.rules, High)
18328 < -> WEB-CLIENT Adobe Flash Player dwmapi.dll dll-load exploit attempt (web-client.rules, High)
18329 < -> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)
18330 < -> NETBIOS Adobe Flash Player dwmapi.dll dll-load exploit attempt (netbios.rules, High)
18331 < -> WEB-CLIENT Microsoft Office Visio DXF variable name overflow attempt (web-client.rules, High)
18332 < -> WEB-CLIENT Mozilla Firefox JS Web Worker arbitrary code execution attempt (web-client.rules, High)
18333 < -> WEB-MISC phpBook date command execution attempt (web-misc.rules, High)
18334 < -> WEB-MISC phpBook mail command execution attempt (web-misc.rules, High)
18335 < -> WEB-CLIENT Microsoft MHTML XSS attempt (web-client.rules, High)
Updated rules:
1324 < -> EXPLOIT ssh CRC32 overflow /bin/sh (exploit.rules, High)
1325 < -> EXPLOIT ssh CRC32 overflow filler (exploit.rules, High)
1326 < -> EXPLOIT ssh CRC32 overflow NOOP (exploit.rules, High)
1327 < -> EXPLOIT ssh CRC32 overflow (exploit.rules, High)
17416 < -> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium)
17417 < -> ORACLE Database Intermedia Denial of Service Attempt (oracle.rules, Medium)
18241 < -> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX clsid access (web-activex.rules, High)
18242 < -> WEB-ACTIVEX Microsoft WMI Administrator Tools Object Viewer ActiveX function call access (web-activex.rules, High)

 


Date: 2011-01-25
New rules:
18303 < -> SPECIFIC-THREATS Microsoft Internet Explorer script action handler overflow attempt (specific-threats.rules, High)
18304 < -> WEB-CLIENT Microsoft Internet Explorer span tag memory corruption attempt (web-client.rules, High)
18305 < -> SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt (specific-threats.rules, High)
18306 < -> SPECIFIC-THREATS Microsoft Internet Explorer span tag memory corruption attempt (specific-threats.rules, High)
18307 < -> SPECIFIC-THREATS Microsoft Internet Explorer frameset memory corruption attempt (specific-threats.rules, High)
18308 < -> WEB-CLIENT Adobe Acrobat Reader icc mluc interger overflow attempt (web-client.rules, High)
18309 < -> WEB-CLIENT VML fill method overflow attempt (web-client.rules, High)
18310 < -> SMTP Microsoft Office RTF parsing remote code execution attempt (smtp.rules, High)
18311 < -> WEB-MISC Novell iManager getMultiPartParameters unauthorized file upload attempt (web-misc.rules, High)
18312 < -> EXPLOIT Subversion 1.0.2 get-dated-rev buffer overflow over http attempt (exploit.rules, High)
18313 < -> SPECIFIC-THREATS Microsoft Internet Explorer createTextRange code execution attempt (specific-threats.rules, High)
18314 < -> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (specific-threats.rules, Low)
18315 < -> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 overflow attempt (netbios.rules, High)
18316 < -> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrValidateName2 attempt (netbios.rules, Low)
18317 < -> SMTP RCPT TO IPSwitch proxy overflow attempt (smtp.rules, High)
18318 < -> WEB-MISC TLSv1 Client Change Cipher Spec message (web-misc.rules, Low)
18319 < -> SPECIFIC-THREATS NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt (specific-threats.rules, Low)
18320 < -> SPECIFIC-THREATS WINS association context validation overflow attempt (specific-threats.rules, Medium)
Updated rules:
6584 < -> NETBIOS DCERPC NCACN-IP-TCP rras RasRpcSubmitRequest overflow attempt (netbios.rules, High)
8925 < -> NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrAddAlternateComputerName overflow attempt (netbios.rules, High)
10603 < -> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (netbios.rules, High)
10900 < -> NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (netbios.rules, High)
12220 < -> EXPLOIT IBM Informix Dynamic Server long username buffer overflow attempt (exploit.rules, High)
12269 < -> WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX clsid access (web-activex.rules, High)
12270 < -> WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call (web-activex.rules, High)
12271 < -> DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call access (deleted.rules, High)
12272 < -> DELETED WEB-ACTIVEX Microsoft Visual Basic 6 TLIApplication ActiveX function call unicode access (deleted.rules, High)
12417 < -> WEB-ACTIVEX Microsoft Visual FoxPro ActiveX clsid access (web-activex.rules, High)
12424 < -> RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt (rpc.rules, High)
12450 < -> WEB-ACTIVEX Microsoft Agent Control ActiveX function call access (web-activex.rules, High)
15670 < -> WEB-ACTIVEX Microsoft Video 6 ActiveX clsid access (web-activex.rules, High)
15671 < -> WEB-ACTIVEX Microsoft Video 6 ActiveX function call (web-activex.rules, High)
15904 < -> DELETED WEB-ACTIVEX Microsoft Video 6 ActiveX function call access (deleted.rules, High)
15905 < -> DELETED WEB-ACTIVEX Microsoft Video 6 ActiveX function call unicode access (deleted.rules, High)
15930 < -> NETBIOS Microsoft Windows SMB malformed process ID high field remote code execution attempt (netbios.rules, Medium)
16499 < -> DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvUpdateRecord2 overflow attempt (deleted.rules, High)
16500 < -> DELETED NETBIOS DCERPC NCACN-IP-TCP dns R_DnssrvEnumRecords overflow attempt (deleted.rules, High)
16523 < -> POLICY PDF with click-to-launch executable (policy.rules, Low)
17047 < -> DELETED NETBIOS Microsoft Windows DNS Server RPC management interface buffer overflow attempt (deleted.rules, High)
17326 < -> EXPLOIT Citrix Program Neighborhood Client buffer overflow attempt (exploit.rules, High)

READ MORE

You Can Learn More About the Astaro Internet Security Product Line By Going to www.FirewallShop.com/Astaro.

The original article/video can be found at Security Pattern Updates

About the Author: Shannon Lewis

Leave a Reply Cancel reply