Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-webkit, file-flash, file-multimedia, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35042 <-> DISABLED <-> POLICY-OTHER Apple Cups cupsd.conf change attempt (policy-other.rules) * 1:35039 <-> ENABLED <-> MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection (malware-cnc.rules) * 1:35045 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules) * 1:35046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gotrubs.us (blacklist.rules) * 1:35041 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules) * 1:35032 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules) * 1:35049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules) * 1:35047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules) * 1:35050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise variant outbound connection attempt (malware-cnc.rules) * 1:35051 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:35052 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:35053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt (browser-ie.rules) * 1:35043 <-> DISABLED <-> SERVER-OTHER Apple Cups cupsd privilege escalation attempt (server-other.rules) * 1:35031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus outbound connection attempt (malware-cnc.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules) * 1:35034 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request (malware-cnc.rules) * 1:35044 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules) * 1:35035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules) * 1:35036 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy inbound variant connection (malware-cnc.rules) * 1:35037 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy outbound variant connection (malware-cnc.rules) * 1:35038 <-> DISABLED <-> SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt (server-other.rules) * 1:35027 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Troldesh C&C (malware-cnc.rules) * 1:35028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc (blacklist.rules) * 1:35030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35033 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35040 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules)
* 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules) * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules) * 1:35022 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules) * 1:35023 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt (browser-ie.rules) * 1:35052 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:35051 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:35050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise variant outbound connection attempt (malware-cnc.rules) * 1:35049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules) * 1:35048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules) * 1:35047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules) * 1:35046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gotrubs.us (blacklist.rules) * 1:35045 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules) * 1:35044 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules) * 1:35043 <-> DISABLED <-> SERVER-OTHER Apple Cups cupsd privilege escalation attempt (server-other.rules) * 1:35042 <-> DISABLED <-> POLICY-OTHER Apple Cups cupsd.conf change attempt (policy-other.rules) * 1:35041 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules) * 1:35040 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules) * 1:35039 <-> ENABLED <-> MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection (malware-cnc.rules) * 1:35038 <-> DISABLED <-> SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt (server-other.rules) * 1:35037 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy outbound variant connection (malware-cnc.rules) * 1:35036 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy inbound variant connection (malware-cnc.rules) * 1:35035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules) * 1:35034 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request (malware-cnc.rules) * 1:35033 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules) * 1:35032 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules) * 1:35031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus outbound connection attempt (malware-cnc.rules) * 1:35030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc (blacklist.rules) * 1:35027 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Troldesh C&C (malware-cnc.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:30742 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:30741 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30740 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30739 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30738 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30737 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30736 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30735 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30734 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30732 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30733 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30731 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30730 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules) * 1:30729 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules) * 1:30727 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules) * 1:30728 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules) * 1:30726 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30725 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30724 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30722 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30723 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30721 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30720 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30719 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30718 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30717 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30716 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30715 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30714 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules) * 1:30712 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules) * 1:30713 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt (server-other.rules) * 1:30711 <-> ENABLED <-> SERVER-OTHER OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt (server-other.rules) * 1:25550 <-> ENABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25664 <-> DISABLED <-> SERVER-OTHER MiniUPnPd SSDP request buffer overflow attempt (server-other.rules) * 1:25620 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25619 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25618 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25617 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25612 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25601 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25589 <-> ENABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:25549 <-> ENABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:12786 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules) * 1:12785 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules) * 1:12784 <-> DISABLED <-> SERVER-OTHER CA ARCserve LGServer stack buffer overflow attempt (server-other.rules)
* 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules) * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules) * 1:35022 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules) * 1:35023 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGMarkerElement use after free attempt (browser-ie.rules) * 1:35052 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:35051 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:35050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elise variant outbound connection attempt (malware-cnc.rules) * 1:35049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules) * 1:35048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray uncompress domainMemory use after free attempt (file-flash.rules) * 1:35047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scar variant outbound connection (malware-cnc.rules) * 1:35046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gotrubs.us (blacklist.rules) * 1:35045 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules) * 1:35044 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari URI spoofing attempt (browser-webkit.rules) * 1:35043 <-> DISABLED <-> SERVER-OTHER Apple Cups cupsd privilege escalation attempt (server-other.rules) * 1:35042 <-> DISABLED <-> POLICY-OTHER Apple Cups cupsd.conf change attempt (policy-other.rules) * 1:35041 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules) * 1:35040 <-> DISABLED <-> SERVER-WEBAPP PHP php_parse_metadata heap corruption attempt (server-webapp.rules) * 1:35039 <-> ENABLED <-> MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection (malware-cnc.rules) * 1:35038 <-> DISABLED <-> SERVER-OTHER Trustwave ModSecurity chunked transfer encoding policy bypass attempt (server-other.rules) * 1:35037 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy outbound variant connection (malware-cnc.rules) * 1:35036 <-> ENABLED <-> MALWARE-CNC Backdoor.Perl.Santy inbound variant connection (malware-cnc.rules) * 1:35035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules) * 1:35034 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request (malware-cnc.rules) * 1:35033 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules) * 1:35032 <-> DISABLED <-> SERVER-WEBAPP LANDesk Management Suite remote file include attempt (server-webapp.rules) * 1:35031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus outbound connection attempt (malware-cnc.rules) * 1:35030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35029 <-> ENABLED <-> MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection (malware-cnc.rules) * 1:35028 <-> ENABLED <-> BLACKLIST DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc (blacklist.rules) * 1:35027 <-> ENABLED <-> MALWARE-CNC known malicious SSL certificate - Troldesh C&C (malware-cnc.rules) * 1:35026 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35025 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules) * 1:35024 <-> DISABLED <-> SERVER-WEBAPP Watchguard XCS mailqueue.spl command injection attempt (server-webapp.rules)
* 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules) * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules) * 1:35022 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules) * 1:35023 <-> ENABLED <-> FILE-MULTIMEDIA Apple Quicktime corrupt stbl atom out of bounds read attempt (file-multimedia.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
