Talos has added and modified multiple rules in the app-detect, browser-plugins, malware-cnc, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34448 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34449 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34454 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34451 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules) * 1:34464 <-> DISABLED <-> SERVER-OTHER ASUSWRT infosvr remote command execution attempt (server-other.rules) * 1:34455 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34457 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:34456 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:34450 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 1:34459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pvzin variant outbound connection attempt (malware-cnc.rules) * 1:34458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tendrit variant outbound connection (malware-cnc.rules) * 1:34460 <-> ENABLED <-> MALWARE-CNC Win.Worm.Mozibe variant outbound connection attempt (malware-cnc.rules) * 1:34461 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection attempt (malware-cnc.rules) * 1:34463 <-> ENABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34462 <-> ENABLED <-> MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection attempt (malware-cnc.rules)
* 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules) * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pvzin variant outbound connection attempt (malware-cnc.rules) * 1:34460 <-> ENABLED <-> MALWARE-CNC Win.Worm.Mozibe variant outbound connection attempt (malware-cnc.rules) * 1:34457 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tendrit variant outbound connection (malware-cnc.rules) * 1:34455 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34456 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:34454 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34451 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:34450 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules) * 1:34449 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34448 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34464 <-> DISABLED <-> SERVER-OTHER ASUSWRT infosvr remote command execution attempt (server-other.rules) * 1:34463 <-> ENABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34462 <-> ENABLED <-> MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection attempt (malware-cnc.rules) * 1:34461 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection attempt (malware-cnc.rules)
* 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules) * 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34464 <-> DISABLED <-> SERVER-OTHER ASUSWRT infosvr remote command execution attempt (server-other.rules) * 1:34463 <-> ENABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 1:34462 <-> ENABLED <-> MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection attempt (malware-cnc.rules) * 1:34461 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection attempt (malware-cnc.rules) * 1:34460 <-> ENABLED <-> MALWARE-CNC Win.Worm.Mozibe variant outbound connection attempt (malware-cnc.rules) * 1:34459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pvzin variant outbound connection attempt (malware-cnc.rules) * 1:34458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tendrit variant outbound connection (malware-cnc.rules) * 1:34457 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34456 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34455 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34454 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPPlaybackCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:34453 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:34452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:34451 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34450 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34449 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34448 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPMonitor ActiveX clsid access attempt (browser-plugins.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 1:34446 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt (malware-cnc.rules)
* 1:33893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules) * 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
