Talos has added and modified multiple rules in the browser-plugins, exploit-kit, malware-cnc, protocol-icmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36647 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36648 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36646 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36641 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36644 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36642 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36643 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36638 <-> DISABLED <-> SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt (server-webapp.rules) * 1:36639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tavex outbound connection attempt (malware-cnc.rules) * 1:36650 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules) * 1:36651 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules) * 1:36645 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 3:36649 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance range request memory leak denial of service attempt (server-other.rules) * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
* 1:20847 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:24771 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:24772 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:24773 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access (browser-plugins.rules) * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules) * 1:20846 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tavex outbound connection attempt (malware-cnc.rules) * 1:36648 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36638 <-> DISABLED <-> SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt (server-webapp.rules) * 1:36650 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules) * 1:36644 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36641 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36642 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36643 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36651 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules) * 1:36646 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36645 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36647 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules) * 3:36649 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance range request memory leak denial of service attempt (server-other.rules)
* 1:24773 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access (browser-plugins.rules) * 1:20846 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:24771 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:20847 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:24772 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36651 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules) * 1:36650 <-> DISABLED <-> PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt (protocol-icmp.rules) * 1:36648 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36647 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:36646 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36645 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36644 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36643 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36642 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36641 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36639 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tavex outbound connection attempt (malware-cnc.rules) * 1:36638 <-> DISABLED <-> SERVER-WEBAPP WordPress Font Plugin AjaxProxy.php absolute path traversal attempt (server-webapp.rules) * 3:36649 <-> ENABLED <-> SERVER-OTHER Cisco Web Security Appliance range request memory leak denial of service attempt (server-other.rules) * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
* 1:24771 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:20847 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules) * 1:24772 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachment_Times ActiveX clsid access (browser-plugins.rules) * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:24773 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus iNotes Attachement_Times ActiveX clsid access (browser-plugins.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules) * 1:20846 <-> DISABLED <-> BROWSER-PLUGINS Oracle Hyperion Strategic Finance Client SetDevNames ActiveX clsid access attempt (browser-plugins.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
