Talos has added and modified multiple rules in the exploit-kit, file-image, file-office, file-pdf, malware-cnc, os-other, policy-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46874 <-> ENABLED <-> PUA-ADWARE Win.Pua.Softonic installer variant outbound connection (pua-adware.rules) * 1:46881 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch directory traversal attempt (server-webapp.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46878 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46866 <-> DISABLED <-> SERVER-WEBAPP TYPO3 news module SQL injection attempt (server-webapp.rules) * 1:46872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail command and control response detected (malware-cnc.rules) * 1:46880 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46860 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46862 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46861 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46871 <-> ENABLED <-> MALWARE-CNC Win.Dropper.NavRat payload download (malware-cnc.rules) * 1:46863 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackupOptionSet SQL injection attempt (server-webapp.rules) * 1:46876 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt (malware-cnc.rules) * 3:46868 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46869 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46883 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules) * 3:46877 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0605 attack attempt (server-webapp.rules) * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46867 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0602 attack attempt (server-other.rules) * 3:46882 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules)
* 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules) * 1:35180 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules) * 3:46859 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules) * 3:46858 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46874 <-> ENABLED <-> PUA-ADWARE Win.Pua.Softonic installer variant outbound connection (pua-adware.rules) * 1:46876 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46866 <-> DISABLED <-> SERVER-WEBAPP TYPO3 news module SQL injection attempt (server-webapp.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46860 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46863 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackupOptionSet SQL injection attempt (server-webapp.rules) * 1:46871 <-> ENABLED <-> MALWARE-CNC Win.Dropper.NavRat payload download (malware-cnc.rules) * 1:46881 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch directory traversal attempt (server-webapp.rules) * 1:46880 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46861 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail command and control response detected (malware-cnc.rules) * 1:46873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt (malware-cnc.rules) * 1:46862 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46878 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 3:46870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0602 attack attempt (server-other.rules) * 3:46882 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules) * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46883 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules) * 3:46877 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0605 attack attempt (server-webapp.rules) * 3:46869 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46867 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46868 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
* 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules) * 1:35180 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules) * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 3:46858 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules) * 3:46859 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46880 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (snort3-server-other.rules) * 1:46881 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch directory traversal attempt (snort3-server-webapp.rules) * 1:46861 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (snort3-server-webapp.rules) * 1:46878 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (snort3-server-other.rules) * 1:46871 <-> ENABLED <-> MALWARE-CNC Win.Dropper.NavRat payload download (snort3-malware-cnc.rules) * 1:46860 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (snort3-server-webapp.rules) * 1:46866 <-> DISABLED <-> SERVER-WEBAPP TYPO3 news module SQL injection attempt (snort3-server-webapp.rules) * 1:46872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail command and control response detected (snort3-malware-cnc.rules) * 1:46874 <-> ENABLED <-> PUA-ADWARE Win.Pua.Softonic installer variant outbound connection (snort3-pua-adware.rules) * 1:46876 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules) * 1:46875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules) * 1:46873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt (snort3-malware-cnc.rules) * 1:46862 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (snort3-server-webapp.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (snort3-server-other.rules) * 1:46863 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackupOptionSet SQL injection attempt (snort3-server-webapp.rules)
* 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (snort3-file-pdf.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (snort3-malware-cnc.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (snort3-malware-cnc.rules) * 1:35180 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (snort3-policy-other.rules) * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (snort3-policy-other.rules) * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (snort3-exploit-kit.rules) * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46878 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46866 <-> DISABLED <-> SERVER-WEBAPP TYPO3 news module SQL injection attempt (server-webapp.rules) * 1:46880 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46881 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch directory traversal attempt (server-webapp.rules) * 1:46863 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackupOptionSet SQL injection attempt (server-webapp.rules) * 1:46876 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail command and control response detected (malware-cnc.rules) * 1:46874 <-> ENABLED <-> PUA-ADWARE Win.Pua.Softonic installer variant outbound connection (pua-adware.rules) * 1:46861 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46860 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46871 <-> ENABLED <-> MALWARE-CNC Win.Dropper.NavRat payload download (malware-cnc.rules) * 1:46873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt (malware-cnc.rules) * 1:46862 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 3:46868 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0602 attack attempt (server-other.rules) * 3:46882 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules) * 3:46883 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules) * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46877 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0605 attack attempt (server-webapp.rules) * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46869 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46867 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules)
* 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules) * 1:35180 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules) * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 3:46859 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules) * 3:46858 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46880 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46879 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46878 <-> DISABLED <-> SERVER-OTHER BMC Server Automation RSCD Agent remote code execution attempt (server-other.rules) * 1:46876 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:46874 <-> ENABLED <-> PUA-ADWARE Win.Pua.Softonic installer variant outbound connection (pua-adware.rules) * 1:46873 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt (malware-cnc.rules) * 1:46872 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CowerSnail command and control response detected (malware-cnc.rules) * 1:46871 <-> ENABLED <-> MALWARE-CNC Win.Dropper.NavRat payload download (malware-cnc.rules) * 1:46866 <-> DISABLED <-> SERVER-WEBAPP TYPO3 news module SQL injection attempt (server-webapp.rules) * 1:46863 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackupOptionSet SQL injection attempt (server-webapp.rules) * 1:46862 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46861 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46860 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud jqueryFileTree.php command injection attempt (server-webapp.rules) * 1:46881 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch directory traversal attempt (server-webapp.rules) * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules) * 3:46867 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46868 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46869 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0604 attack attempt (server-webapp.rules) * 3:46870 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0602 attack attempt (server-other.rules) * 3:46877 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0605 attack attempt (server-webapp.rules) * 3:46882 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules) * 3:46883 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0603 attack attempt (file-office.rules)
* 1:46782 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 1:35180 <-> DISABLED <-> POLICY-OTHER Remote non-JavaScript file found in script tag src attribute (policy-other.rules) * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules) * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules) * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules) * 3:46858 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules) * 3:46859 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2018-0614 attack attempt (os-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
