Talos has added and modified multiple rules in the file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36034 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules) * 1:36026 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules) * 1:36025 <-> DISABLED <-> SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt (server-other.rules) * 1:36027 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:36028 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36029 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36035 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules)
* 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:36035 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules) * 1:36034 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36029 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules) * 1:36028 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules) * 1:36027 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules) * 1:36026 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules) * 1:36025 <-> DISABLED <-> SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt (server-other.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
* 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36025 <-> DISABLED <-> SERVER-OTHER Digium Asterisk TLS Certificate Common Name null byte validation bypass attempt (server-other.rules) * 1:36024 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36026 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules) * 1:36028 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules) * 1:36029 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys use after free attempt (os-windows.rules) * 1:36031 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36030 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36027 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word EPS filter PostScript object use after free attempt (file-office.rules) * 1:36032 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36033 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station subtitle.cgi command injection attempt (server-webapp.rules) * 1:36034 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules) * 1:36036 <-> DISABLED <-> INDICATOR-OBFUSCATION Adobe Flash file with SecureSwfLoader packer detected (indicator-obfuscation.rules) * 1:36035 <-> DISABLED <-> FILE-FLASH Infinity popup toolkit detected (file-flash.rules) * 1:36023 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules) * 1:36022 <-> DISABLED <-> SERVER-WEBAPP FireEye ModuleDispatch.php name parameter directory traversal directory traversal attempt (server-webapp.rules)
* 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:34318 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection (malware-cnc.rules) * 1:35769 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection (malware-backdoor.rules) * 1:35770 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection (malware-backdoor.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
