Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-java, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tanmar outbound connection (malware-cnc.rules) * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt (file-office.rules) * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules) * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules) * 1:36624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36615 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36616 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36617 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36618 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36619 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36620 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36621 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
* 1:12197 <-> DISABLED <-> SERVER-OTHER CA message queuing server buffer overflow attempt (server-other.rules) * 1:21666 <-> ENABLED <-> FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt (file-java.rules) * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules) * 1:31735 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:31736 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:36109 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36110 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36111 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36112 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules) * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36472 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36473 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36474 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36475 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt (file-office.rules) * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules) * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tanmar outbound connection (malware-cnc.rules) * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36615 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36616 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36617 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36618 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36619 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36620 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36621 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
* 1:12197 <-> DISABLED <-> SERVER-OTHER CA message queuing server buffer overflow attempt (server-other.rules) * 1:21666 <-> ENABLED <-> FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt (file-java.rules) * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules) * 1:31735 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:31736 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:36109 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36110 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36111 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36112 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules) * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36472 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36473 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36474 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36475 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules) * 1:36631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt (file-office.rules) * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules) * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules) * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules) * 1:36627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tanmar outbound connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules) * 1:36621 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36620 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36619 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36618 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules) * 1:36617 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36616 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36615 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
* 1:12197 <-> DISABLED <-> SERVER-OTHER CA message queuing server buffer overflow attempt (server-other.rules) * 1:21666 <-> ENABLED <-> FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt (file-java.rules) * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules) * 1:31735 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:31736 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:36109 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36110 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36111 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36112 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules) * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules) * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules) * 1:36472 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36473 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36474 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules) * 1:36475 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
