Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36606 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36609 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36597 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:36608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36600 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
* 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules) * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules) * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules) * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36597 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36600 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:36604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:36606 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36609 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules)
* 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules) * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules) * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36609 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36608 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36607 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36606 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NavigatetoURL new tab open attempt (file-flash.rules) * 1:36605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:36604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:36603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection (malware-cnc.rules) * 1:36600 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules) * 1:36597 <-> ENABLED <-> FILE-FLASH Adobe Flash Player assertion out of bounds corruption attempt (file-flash.rules)
* 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules) * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules) * 1:35281 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules) * 1:35279 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35280 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager haid SQL injection attempt (server-webapp.rules) * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules) * 1:29356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cidox variant outbound connection (malware-cnc.rules) * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
