The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-flash, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules) * 1:31281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player redirect attempt (file-flash.rules) * 1:31280 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit encrypted binary download attempt (exploit-kit.rules) * 1:31278 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection (exploit-kit.rules) * 1:31273 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin coin mining program download attempt (malware-cnc.rules) * 1:31269 <-> ENABLED <-> BLACKLIST DNS request for known malware domain honkytonk69.tk.hostinghood.com - Win.Trojan.Vectecoin (blacklist.rules) * 1:31266 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gdm.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31263 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ac-shippingllc.com - Win.Trojan.Caphaw (blacklist.rules) * 1:31307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toumlec variant outbound connection (malware-cnc.rules) * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound detection (malware-cnc.rules) * 1:31265 <-> ENABLED <-> BLACKLIST DNS request for known malware domain elg.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31267 <-> ENABLED <-> BLACKLIST DNS request for known malware domain irm.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31268 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uab.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31270 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vectortango.biz - Win.Trojan.Vectecoin (blacklist.rules) * 1:31271 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin information disclosure attempt (malware-cnc.rules) * 1:31264 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dza.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31272 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin outbound command request attempt (malware-cnc.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection attempt (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31305 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center fileRequestor directory traversal attempt (server-webapp.rules) * 1:31274 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit encrypted binary download (exploit-kit.rules) * 1:31275 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit landing page (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31277 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection (exploit-kit.rules) * 1:31279 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request (exploit-kit.rules) * 1:31282 <-> ENABLED <-> FILE-FLASH Adobe Flash Player redirect attempt (file-flash.rules) * 1:31283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31285 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31287 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dc186.gulfup.com - Win.Downloader.Bladabindi (blacklist.rules) * 1:31288 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Bladabindi variant outbound download request (malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vextstl outbound communication (malware-cnc.rules) * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbount connection attempt (malware-cnc.rules) * 1:31294 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.give-us-btc.biz - Win.Trojan.Zusy (blacklist.rules) * 1:31295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zusy variant outbound connection attempt (malware-cnc.rules) * 1:31306 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toumlec variant outbound connection (malware-cnc.rules) * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules) * 1:31297 <-> DISABLED <-> SERVER-WEBAPP VMWare vSphere API SOAP request RetrieveProperties remote denial of service attempt (server-webapp.rules)
* 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:23494 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Onitab.A outbound connection (malware-cnc.rules) * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:24211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xamtrav update protocol connection (malware-cnc.rules) * 1:27595 <-> ENABLED <-> MALWARE-OTHER Fake Adobe Flash Player malware binary requested (malware-other.rules) * 1:28612 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (exploit-kit.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31280 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit encrypted binary download attempt (exploit-kit.rules) * 1:31281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player redirect attempt (file-flash.rules) * 1:31278 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection (exploit-kit.rules) * 1:31273 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin coin mining program download attempt (malware-cnc.rules) * 1:31269 <-> ENABLED <-> BLACKLIST DNS request for known malware domain honkytonk69.tk.hostinghood.com - Win.Trojan.Vectecoin (blacklist.rules) * 1:31266 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gdm.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31263 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ac-shippingllc.com - Win.Trojan.Caphaw (blacklist.rules) * 1:31264 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dza.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31267 <-> ENABLED <-> BLACKLIST DNS request for known malware domain irm.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31268 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uab.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31270 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vectortango.biz - Win.Trojan.Vectecoin (blacklist.rules) * 1:31271 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin information disclosure attempt (malware-cnc.rules) * 1:31272 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin outbound command request attempt (malware-cnc.rules) * 1:31274 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit encrypted binary download (exploit-kit.rules) * 1:31275 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit landing page (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31277 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection (exploit-kit.rules) * 1:31279 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request (exploit-kit.rules) * 1:31282 <-> ENABLED <-> FILE-FLASH Adobe Flash Player redirect attempt (file-flash.rules) * 1:31283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31285 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31287 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dc186.gulfup.com - Win.Downloader.Bladabindi (blacklist.rules) * 1:31288 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Bladabindi variant outbound download request (malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vextstl outbound communication (malware-cnc.rules) * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbount connection attempt (malware-cnc.rules) * 1:31294 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.give-us-btc.biz - Win.Trojan.Zusy (blacklist.rules) * 1:31295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zusy variant outbound connection attempt (malware-cnc.rules) * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:31307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toumlec variant outbound connection (malware-cnc.rules) * 1:31306 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toumlec variant outbound connection (malware-cnc.rules) * 1:31305 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center fileRequestor directory traversal attempt (server-webapp.rules) * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection attempt (malware-cnc.rules) * 1:31265 <-> ENABLED <-> BLACKLIST DNS request for known malware domain elg.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound detection (malware-cnc.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules) * 1:31297 <-> DISABLED <-> SERVER-WEBAPP VMWare vSphere API SOAP request RetrieveProperties remote denial of service attempt (server-webapp.rules)
* 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:23494 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Onitab.A outbound connection (malware-cnc.rules) * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:24211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xamtrav update protocol connection (malware-cnc.rules) * 1:27595 <-> ENABLED <-> MALWARE-OTHER Fake Adobe Flash Player malware binary requested (malware-other.rules) * 1:28612 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (exploit-kit.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toumlec variant outbound connection (malware-cnc.rules) * 1:31306 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toumlec variant outbound connection (malware-cnc.rules) * 1:31305 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center fileRequestor directory traversal attempt (server-webapp.rules) * 1:31304 <-> DISABLED <-> SERVER-WEBAPP PocketPAD brute-force login attempt (server-webapp.rules) * 1:31303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hadeki variant outbound connection attempt (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:31300 <-> ENABLED <-> SERVER-OTHER Xerox DocuShare SQL injection attempt (server-other.rules) * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound detection (malware-cnc.rules) * 1:31298 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit landing page (exploit-kit.rules) * 1:31297 <-> DISABLED <-> SERVER-WEBAPP VMWare vSphere API SOAP request RetrieveProperties remote denial of service attempt (server-webapp.rules) * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:31295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zusy variant outbound connection attempt (malware-cnc.rules) * 1:31294 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.give-us-btc.biz - Win.Trojan.Zusy (blacklist.rules) * 1:31293 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbount connection attempt (malware-cnc.rules) * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vextstl outbound communication (malware-cnc.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:31288 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Bladabindi variant outbound download request (malware-cnc.rules) * 1:31287 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dc186.gulfup.com - Win.Downloader.Bladabindi (blacklist.rules) * 1:31286 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31285 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31284 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31282 <-> ENABLED <-> FILE-FLASH Adobe Flash Player redirect attempt (file-flash.rules) * 1:31281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player redirect attempt (file-flash.rules) * 1:31280 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit encrypted binary download attempt (exploit-kit.rules) * 1:31279 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request (exploit-kit.rules) * 1:31278 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection (exploit-kit.rules) * 1:31277 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31275 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit landing page (exploit-kit.rules) * 1:31274 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit encrypted binary download (exploit-kit.rules) * 1:31273 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin coin mining program download attempt (malware-cnc.rules) * 1:31272 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin outbound command request attempt (malware-cnc.rules) * 1:31271 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vectecoin information disclosure attempt (malware-cnc.rules) * 1:31270 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vectortango.biz - Win.Trojan.Vectecoin (blacklist.rules) * 1:31269 <-> ENABLED <-> BLACKLIST DNS request for known malware domain honkytonk69.tk.hostinghood.com - Win.Trojan.Vectecoin (blacklist.rules) * 1:31268 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uab.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31267 <-> ENABLED <-> BLACKLIST DNS request for known malware domain irm.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31266 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gdm.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31265 <-> ENABLED <-> BLACKLIST DNS request for known malware domain elg.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31264 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dza.cc - Win.Trojan.Caphaw (blacklist.rules) * 1:31263 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ac-shippingllc.com - Win.Trojan.Caphaw (blacklist.rules)
* 1:19671 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XSLT memory corruption attempt (browser-ie.rules) * 1:23494 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Onitab.A outbound connection (malware-cnc.rules) * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:24211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xamtrav update protocol connection (malware-cnc.rules) * 1:27595 <-> ENABLED <-> MALWARE-OTHER Fake Adobe Flash Player malware binary requested (malware-other.rules) * 1:28612 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit Silverlight exploit download (exploit-kit.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
