Talos has added and modified multiple rules in the blacklist, file-flash, file-office, indicator-compromise, malware-cnc, malware-other, pua-adware, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40853 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40854 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40851 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40852 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40849 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40850 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40847 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40848 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules) * 1:40846 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules) * 1:40844 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules) * 1:40841 <-> DISABLED <-> PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt (pua-other.rules) * 1:40842 <-> DISABLED <-> PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt (pua-other.rules) * 1:40840 <-> DISABLED <-> PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt (pua-other.rules) * 1:40839 <-> DISABLED <-> PUA-ADWARE Sokuxuan outbound connection attempt (pua-adware.rules) * 1:40838 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules) * 1:40837 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules) * 1:40830 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules) * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection attempt (malware-cnc.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:40833 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt (malware-cnc.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:40835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:40871 <-> DISABLED <-> MALWARE-OTHER Virut CnC command reply (malware-other.rules) * 1:40870 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules) * 1:40869 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules) * 1:40868 <-> ENABLED <-> BLACKLIST DNS request for known malware domain core.ircgalaxy.pl - Virut (blacklist.rules) * 1:40867 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sys.zief.pl - Virut (blacklist.rules) * 1:40829 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules) * 1:40865 <-> ENABLED <-> SERVER-WEBAPP Bassmaster Batch remote code execution attempt (server-webapp.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules)
* 1:38204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules) * 1:40008 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess DCERPC buffer overflow attempt (server-other.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:38203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40871 <-> DISABLED <-> MALWARE-OTHER Virut CnC command reply (malware-other.rules) * 1:40870 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules) * 1:40869 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Virut (blacklist.rules) * 1:40868 <-> ENABLED <-> BLACKLIST DNS request for known malware domain core.ircgalaxy.pl - Virut (blacklist.rules) * 1:40867 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sys.zief.pl - Virut (blacklist.rules) * 1:40865 <-> ENABLED <-> SERVER-WEBAPP Bassmaster Batch remote code execution attempt (server-webapp.rules) * 1:40864 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40863 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40862 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40861 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40860 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40859 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40858 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40857 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40856 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40855 <-> DISABLED <-> SERVER-OTHER ntpd mrulist control message command null pointer dereference attempt (server-other.rules) * 1:40854 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40853 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40852 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40851 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40850 <-> DISABLED <-> SERVER-WEBAPP VTSCADA WAP information disclosure attempt (server-webapp.rules) * 1:40849 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40848 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40847 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40846 <-> DISABLED <-> SERVER-APACHE Apache Subversion svnserve integer overflow attempt (server-apache.rules) * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules) * 1:40844 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules) * 1:40843 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 warning denial of service attempt (server-other.rules) * 1:40842 <-> DISABLED <-> PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt (pua-other.rules) * 1:40841 <-> DISABLED <-> PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt (pua-other.rules) * 1:40840 <-> DISABLED <-> PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt (pua-other.rules) * 1:40839 <-> DISABLED <-> PUA-ADWARE Sokuxuan outbound connection attempt (pua-adware.rules) * 1:40838 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules) * 1:40837 <-> DISABLED <-> SERVER-WEBAPP Veritas NetBackup Appliance getLicense command injection attempt (server-webapp.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:40835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt (malware-cnc.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:40833 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt (malware-cnc.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection attempt (malware-cnc.rules) * 1:40830 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules) * 1:40829 <-> ENABLED <-> INDICATOR-COMPROMISE potential Squiblydoo application whitelisting bypass attempt (indicator-compromise.rules)
* 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:38203 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules) * 1:38204 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData.applyFilter access violation attempt (file-flash.rules) * 1:40008 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess DCERPC buffer overflow attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
