Talos has added and modified multiple rules in the browser-plugins, file-office, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
* 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules) * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
* 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules) * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules)
* 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:35427 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35426 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Heur outbound connection (malware-cnc.rules) * 1:35418 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35419 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35421 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35417 <-> DISABLED <-> SERVER-OTHER Fortinet Single Sign On hello message denial of service attempt (server-other.rules) * 1:35420 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35422 <-> DISABLED <-> BROWSER-PLUGINS Scneider Electric IsObjectModel RemoveParameter buffer overflow attempt (browser-plugins.rules) * 1:35428 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35429 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager customerName SQL injection attempt (server-webapp.rules) * 1:35431 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules) * 1:35430 <-> ENABLED <-> FILE-PDF Adobe Reader nested events use-after-free attempt (file-pdf.rules)
* 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules) * 1:17051 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17052 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17053 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17054 <-> DISABLED <-> BROWSER-PLUGINS Symantec AppStream Client LaunchObj ActiveX clsid access attempt (browser-plugins.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:35169 <-> DISABLED <-> FILE-OFFICE Microsoft Office rapi.dll dll-load exploit attempt (file-office.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
