Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-multimedia, malware-cnc, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36561 <-> DISABLED <-> DELETED scary rule go away XX (deleted.rules) * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36542 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt (server-webapp.rules) * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36545 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36543 <-> ENABLED <-> EXPLOIT-KIT Hunter exploit kit landing page detected (exploit-kit.rules) * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36559 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Brolux variant outbound connection (malware-cnc.rules) * 1:36537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux (blacklist.rules) * 1:36546 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36548 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36547 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36560 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules) * 1:36538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux (blacklist.rules) * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux (blacklist.rules) * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules) * 3:36557 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay denial of service attempt (server-other.rules)
* 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules) * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules) * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Brolux variant outbound connection (malware-cnc.rules) * 1:36542 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt (server-webapp.rules) * 1:36539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux (blacklist.rules) * 1:36538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux (blacklist.rules) * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules) * 1:36543 <-> ENABLED <-> EXPLOIT-KIT Hunter exploit kit landing page detected (exploit-kit.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36545 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36547 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36546 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36548 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36561 <-> DISABLED <-> DELETED scary rule go away XX (deleted.rules) * 1:36560 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36559 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux (blacklist.rules) * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 3:36557 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay denial of service attempt (server-other.rules) * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)
* 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules) * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules) * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36561 <-> DISABLED <-> DELETED scary rule go away XX (deleted.rules) * 1:36560 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36559 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36548 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36547 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36546 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36545 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules) * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules) * 1:36543 <-> ENABLED <-> EXPLOIT-KIT Hunter exploit kit landing page detected (exploit-kit.rules) * 1:36542 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt (server-webapp.rules) * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules) * 1:36540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Brolux variant outbound connection (malware-cnc.rules) * 1:36539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux (blacklist.rules) * 1:36538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux (blacklist.rules) * 1:36537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux (blacklist.rules) * 3:36557 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay denial of service attempt (server-other.rules) * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)
* 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules) * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules) * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules) * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
