Talos has added and modified multiple rules in the browser-ie, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47637 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47661 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47659 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47664 <-> ENABLED <-> SERVER-WEBAPP Dicoogle directory traversal attempt (server-webapp.rules) * 1:47662 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub ASP script injection attempt (server-webapp.rules) * 1:47638 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules) * 1:47640 <-> DISABLED <-> SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected (server-webapp.rules) * 1:47641 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47642 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47643 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47644 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47645 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47646 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47647 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47648 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47649 <-> ENABLED <-> SERVER-WEBAPP Apache Struts remote code execution attempt (server-webapp.rules) * 1:47650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marap outbound beacon detected (malware-cnc.rules) * 1:47651 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47652 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47653 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47654 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47655 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47656 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47657 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47658 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47635 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47636 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47660 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage edit.php command injection attempt (server-webapp.rules) * 3:47665 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 SetAVTransportURI SOAP action command injection attempt (server-webapp.rules) * 3:47663 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0653 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47660 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage edit.php command injection attempt (server-webapp.rules) * 1:47662 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub ASP script injection attempt (server-webapp.rules) * 1:47658 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47659 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47635 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47636 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47637 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47638 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules) * 1:47640 <-> DISABLED <-> SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected (server-webapp.rules) * 1:47641 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47642 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47643 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47644 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47645 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47646 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47647 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47648 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47649 <-> ENABLED <-> SERVER-WEBAPP Apache Struts remote code execution attempt (server-webapp.rules) * 1:47650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marap outbound beacon detected (malware-cnc.rules) * 1:47651 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47652 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47653 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47654 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47661 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47655 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47656 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47657 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47664 <-> ENABLED <-> SERVER-WEBAPP Dicoogle directory traversal attempt (server-webapp.rules) * 3:47665 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 SetAVTransportURI SOAP action command injection attempt (server-webapp.rules) * 3:47663 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0653 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47658 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (snort3-server-webapp.rules) * 1:47635 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (snort3-browser-ie.rules) * 1:47660 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage edit.php command injection attempt (snort3-server-webapp.rules) * 1:47636 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (snort3-browser-ie.rules) * 1:47637 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (snort3-browser-ie.rules) * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (snort3-indicator-obfuscation.rules) * 1:47662 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub ASP script injection attempt (snort3-server-webapp.rules) * 1:47664 <-> ENABLED <-> SERVER-WEBAPP Dicoogle directory traversal attempt (snort3-server-webapp.rules) * 1:47661 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (snort3-server-webapp.rules) * 1:47642 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (snort3-server-webapp.rules) * 1:47640 <-> DISABLED <-> SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected (snort3-server-webapp.rules) * 1:47643 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (snort3-server-webapp.rules) * 1:47644 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (snort3-server-webapp.rules) * 1:47645 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (snort3-server-webapp.rules) * 1:47646 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (snort3-server-webapp.rules) * 1:47647 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (snort3-file-pdf.rules) * 1:47648 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (snort3-file-pdf.rules) * 1:47649 <-> ENABLED <-> SERVER-WEBAPP Apache Struts remote code execution attempt (snort3-server-webapp.rules) * 1:47650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marap outbound beacon detected (snort3-malware-cnc.rules) * 1:47651 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:47652 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:47653 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:47654 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:47655 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (snort3-server-webapp.rules) * 1:47656 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (snort3-server-webapp.rules) * 1:47659 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (snort3-server-webapp.rules) * 1:47641 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (snort3-server-webapp.rules) * 1:47638 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (snort3-browser-ie.rules) * 1:47657 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47658 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47635 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47637 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47638 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules) * 1:47640 <-> DISABLED <-> SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected (server-webapp.rules) * 1:47641 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47642 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47660 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage edit.php command injection attempt (server-webapp.rules) * 1:47659 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47643 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47644 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47645 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47646 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47647 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47648 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47649 <-> ENABLED <-> SERVER-WEBAPP Apache Struts remote code execution attempt (server-webapp.rules) * 1:47650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marap outbound beacon detected (malware-cnc.rules) * 1:47651 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47652 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47653 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47654 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47655 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47656 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47657 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47664 <-> ENABLED <-> SERVER-WEBAPP Dicoogle directory traversal attempt (server-webapp.rules) * 1:47661 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47662 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub ASP script injection attempt (server-webapp.rules) * 1:47636 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 3:47665 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 SetAVTransportURI SOAP action command injection attempt (server-webapp.rules) * 3:47663 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0653 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47646 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47645 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47644 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47643 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47642 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47641 <-> DISABLED <-> SERVER-WEBAPP IceWarp Mail Server directory traversal attempt (server-webapp.rules) * 1:47640 <-> DISABLED <-> SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected (server-webapp.rules) * 1:47639 <-> DISABLED <-> INDICATOR-OBFUSCATION DNS TXT response record tunneling (indicator-obfuscation.rules) * 1:47638 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47637 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47636 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47635 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra floating point type confusion attempt (browser-ie.rules) * 1:47664 <-> ENABLED <-> SERVER-WEBAPP Dicoogle directory traversal attempt (server-webapp.rules) * 1:47662 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub ASP script injection attempt (server-webapp.rules) * 1:47661 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47660 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage edit.php command injection attempt (server-webapp.rules) * 1:47659 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47658 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47657 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail encryptMessage prefs.php command injection attempt (server-webapp.rules) * 1:47656 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47655 <-> DISABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules) * 1:47654 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47653 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47652 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47651 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marap outbound beacon detected (malware-cnc.rules) * 1:47649 <-> ENABLED <-> SERVER-WEBAPP Apache Struts remote code execution attempt (server-webapp.rules) * 1:47648 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 1:47647 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 symbol header out of bounds read attempt (file-pdf.rules) * 3:47663 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0653 attack attempt (server-other.rules) * 3:47665 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 SetAVTransportURI SOAP action command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
