Talos has added and modified multiple rules in the browser-webkit, exploit-kit, file-flash, file-multimedia, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36564 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules) * 1:36566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36565 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules) * 1:36568 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36594 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules) * 1:36569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36579 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules) * 1:36581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules) * 1:36576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules) * 1:36574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:36572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36595 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36563 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:36580 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules) * 1:36591 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
* 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules) * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules) * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules) * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules) * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36579 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules) * 1:36581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules) * 1:36576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules) * 1:36574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:36567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36564 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules) * 1:36563 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:36566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36565 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules) * 1:36568 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36580 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules) * 1:36584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36595 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules) * 1:36594 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules) * 1:36593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36591 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
* 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules) * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules) * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules) * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules) * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36595 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules) * 1:36594 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules) * 1:36593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36591 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules) * 1:36589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules) * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules) * 1:36584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules) * 1:36580 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules) * 1:36579 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules) * 1:36578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules) * 1:36577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules) * 1:36576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules) * 1:36572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36568 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules) * 1:36565 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules) * 1:36564 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules) * 1:36563 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:36562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
* 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules) * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules) * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules) * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules) * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules) * 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules) * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules) * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
