Talos has added and modified multiple rules in the app-detect, blacklist, file-flash, file-multimedia, file-other, file-pdf, malware-backdoor, malware-cnc, os-windows, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34563 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34564 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34560 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34562 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34559 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34534 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34535 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34533 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34532 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34530 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34531 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34524 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34527 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34525 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34526 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34521 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34523 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34519 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34522 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34520 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34518 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34514 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34517 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34513 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34511 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34512 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34510 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:34494 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34493 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34492 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ngusto-uro.ru (blacklist.rules) * 1:34491 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalPutty variant outbound connection attempt (malware-cnc.rules) * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nalodew variant outbound connection attempt (malware-cnc.rules) * 1:34548 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules) * 1:34549 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34552 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules)
* 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 1:28361 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34563 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34564 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34559 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34562 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34560 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules) * 1:34544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34534 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34535 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34532 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34533 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34530 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34531 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34526 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34527 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34525 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34524 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34523 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34521 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34522 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34519 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34520 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34517 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34518 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34513 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34514 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34511 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34512 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34510 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34493 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34494 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34491 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalPutty variant outbound connection attempt (malware-cnc.rules) * 1:34492 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ngusto-uro.ru (blacklist.rules) * 1:34556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nalodew variant outbound connection attempt (malware-cnc.rules) * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34552 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34549 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34548 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules)
* 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:28361 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34546 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules) * 1:34545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34535 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34533 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34534 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34531 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34532 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34530 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34527 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34525 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34526 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34523 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34524 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34521 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34522 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34519 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34520 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34517 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34518 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34513 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34514 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34511 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34512 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34510 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34493 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34494 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34491 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalPutty variant outbound connection attempt (malware-cnc.rules) * 1:34492 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ngusto-uro.ru (blacklist.rules) * 1:34489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nalodew variant outbound connection attempt (malware-cnc.rules) * 1:34564 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34563 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34562 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34560 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34559 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34552 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34549 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34548 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules)
* 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:28361 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34564 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34563 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34562 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player asynchronous shader changes memory corruption attempt (file-flash.rules) * 1:34560 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34559 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader openDoc dangling pointer attempt (file-pdf.rules) * 1:34558 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34557 <-> ENABLED <-> FILE-PDF Adobe Reader embedded JavaScript remote code execution attempt (file-pdf.rules) * 1:34556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:34552 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:34551 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34550 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API trustPropagatorFunction execution bypass attempt (file-pdf.rules) * 1:34549 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34548 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader 11.0.09 keystroke combobox use after free attempt (file-pdf.rules) * 1:34547 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules) * 1:34546 <-> ENABLED <-> FILE-PDF Adobe Reader PCR null pointer dereference attempt (file-pdf.rules) * 1:34545 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34544 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34543 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34542 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GIF sprite kernel memory leak attempt (file-flash.rules) * 1:34541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalexis variant outbound connection (malware-cnc.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34537 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34536 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34535 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34534 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader PRC invalid index attempt (file-pdf.rules) * 1:34533 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34532 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader customDictionaryExport information disclosure attempt (file-pdf.rules) * 1:34531 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34530 <-> DISABLED <-> FILE-OTHER Microsoft CAB incorrect version multiple antivirus evasion attempt (file-other.rules) * 1:34529 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34528 <-> ENABLED <-> FILE-PDF Adobe Reader AVDoc use-after-free attempt (file-pdf.rules) * 1:34527 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34526 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Cooltype callother memory corruption attempt (file-pdf.rules) * 1:34525 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34524 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CoolType blend memory corruption attempt (file-pdf.rules) * 1:34523 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34522 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34521 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34520 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Button.filters type confusion remote code execution attempt (file-flash.rules) * 1:34519 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34518 <-> ENABLED <-> FILE-OTHER Adobe Flash Player invalid mpd memory corruption attempt (file-other.rules) * 1:34517 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34514 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader addAnnot invalid type conversion attempt (file-pdf.rules) * 1:34513 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34512 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34511 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34510 <-> ENABLED <-> FILE-OTHER Adobe Flash Player mp4 avcC atom memory corruption attempt (file-other.rules) * 1:34509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTagsForBackgroundManifest memory corruption attempt (file-flash.rules) * 1:34507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setCuePointTags memory corruption attempt (file-flash.rules) * 1:34505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34504 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setSubscribedTags memory corruption attempt (file-flash.rules) * 1:34503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript AVSS memory corruption attempt (file-flash.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34499 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34498 <-> DISABLED <-> OS-WINDOWS Win32k.sys kernel-mode driver privilege escalation attempt (os-windows.rules) * 1:34497 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query response attempt (app-detect.rules) * 1:34496 <-> DISABLED <-> APP-DETECT Your-Freedom DNS tunneling query attempt (app-detect.rules) * 1:34495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34494 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34493 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34492 <-> ENABLED <-> FILE-FLASH Adobe Flash Player same origin policy security bypass attempt (file-flash.rules) * 1:34491 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MalPutty variant outbound connection attempt (malware-cnc.rules) * 1:34490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ngusto-uro.ru (blacklist.rules) * 1:34489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nalodew variant outbound connection attempt (malware-cnc.rules)
* 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:28361 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed shading modifier heap corruption attempt (file-pdf.rules) * 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:34225 <-> DISABLED <-> PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt (protocol-ftp.rules) * 1:34447 <-> DISABLED <-> POLICY-OTHER ProFTPD mod_copy unauthenticated file copy attempt (policy-other.rules) * 3:16534 <-> ENABLED <-> SERVER-OTHER Windows Server2000/2003/2008 SMTP service DNS MX lookup denial of service attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
