Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules) * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules) * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules) * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules) * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules)
* 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules) * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules) * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules) * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules) * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules) * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules) * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules)
* 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules) * 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules) * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules) * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules) * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules) * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules) * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules) * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules)
* 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules) * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules) * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules) * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules) * 1:36531 <-> ENABLED <-> FILE-IDENTIFY Oracle Java JMX management loading mlet detected (file-identify.rules) * 1:36530 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36529 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36528 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36527 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:36526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36525 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36524 <-> DISABLED <-> FILE-JAVA Oracle Java TrueType font parsing mort table ligature subtable buffer overflow attempt (file-java.rules) * 1:36523 <-> DISABLED <-> EXPLOIT-KIT Sundown exploit kit landing page detected (exploit-kit.rules) * 1:36522 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection attempt (malware-cnc.rules) * 1:36521 <-> ENABLED <-> BLACKLIST DNS request for known malware domain smartcell.webcindario.com - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36520 <-> ENABLED <-> BLACKLIST DNS request for known malware domain marmitariakisabor.com - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36519 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gfxcorp.engenharia.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36518 <-> ENABLED <-> BLACKLIST DNS request for known malware domain corpsone.agropecuaria.ws - Win.Trojan.Banker.NWT (blacklist.rules) * 1:36517 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36516 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36515 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer SetText ActiveX clsid access (browser-plugins.rules) * 1:36514 <-> DISABLED <-> BROWSER-PLUGINS X360 VideoPlayer ConvertFile ActiveX clsid access (browser-plugins.rules) * 1:36513 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36512 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed mp4 CABAC encoding out of bounds read attempt (file-multimedia.rules) * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36510 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36509 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36508 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36507 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:36506 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36505 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36504 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36503 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36502 <-> DISABLED <-> FILE-FLASH Adobe Flash Player scrollRect property use after free attempt (file-flash.rules) * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36499 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36498 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:36496 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:36495 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules)
* 1:13834 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer request header overwrite (browser-ie.rules) * 1:16609 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:17384 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17385 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer setRequestHeader overflow attempt (browser-ie.rules) * 1:17425 <-> DISABLED <-> BROWSER-PLUGINS RealNetworks RealPlayer Import ActiveX clsid access attempt (browser-plugins.rules) * 1:18172 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules) * 1:25100 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:28502 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules) * 1:28545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules) * 1:29047 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29049 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29050 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29051 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:29054 <-> ENABLED <-> FILE-FLASH Adobe Flash Player and AIR type confusion remote code execution attempt (file-flash.rules) * 1:33458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33459 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33460 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33461 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33462 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:33463 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript worker use after free attempt (file-flash.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules) * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules) * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
