Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules) * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules) * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules) * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules) * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules) * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules) * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules) * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
* 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules) * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules) * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules) * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules) * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules) * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules) * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules) * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
* 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules) * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules) * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules) * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules) * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules) * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules) * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules) * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules) * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
* 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules) * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules) * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules) * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules) * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules) * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules) * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules) * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules) * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules) * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules) * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules) * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules) * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules) * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules) * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules) * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules) * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
* 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules) * 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules) * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules) * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules) * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules) * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt (file-office.rules) * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules) * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
