Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, malware-cnc, os-mobile, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules) * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules) * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules) * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules) * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
* 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules) * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules) * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules) * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules) * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules) * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules) * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
* 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules) * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules) * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules) * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules) * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules) * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
* 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules) * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules) * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules) * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules) * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules) * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules) * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules) * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules) * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules) * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules) * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
* 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules) * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
