Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, malware-cnc, os-windows, protocol-icmp, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36801 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36802 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit browser version detection attempt (exploit-kit.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36808 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nodslit variant outbound connection attempt (malware-cnc.rules) * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36803 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center img buffer overflow attempt (server-other.rules) * 1:36799 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cbbps0.lh1.in - Trojan.Win32.Ruinmail.A (blacklist.rules) * 1:36806 <-> ENABLED <-> BLACKLIST DNS request for known malware domain desktopicon.net - Win.Trojan.Nodslit (blacklist.rules) * 1:36789 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt (browser-firefox.rules) * 1:36790 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36791 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt (browser-ie.rules) * 1:36792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access (browser-plugins.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36796 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36798 <-> DISABLED <-> EXPLOIT-KIT KaiXin exploit kit landing page detected (exploit-kit.rules) * 1:36800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ruinmail outbound connection (malware-cnc.rules)
* 1:12417 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access (browser-plugins.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:20632 <-> DISABLED <-> SERVER-WEBAPP AnnoncesV annonce.php remote file include attempt (server-webapp.rules) * 1:21669 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt (protocol-voip.rules) * 1:24793 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit Java Class download (exploit-kit.rules) * 1:24794 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24795 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24796 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24797 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24888 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:28911 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection (exploit-kit.rules) * 1:366 <-> DISABLED <-> PROTOCOL-ICMP PING Unix (protocol-icmp.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules) * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36808 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nodslit variant outbound connection attempt (malware-cnc.rules) * 1:36806 <-> ENABLED <-> BLACKLIST DNS request for known malware domain desktopicon.net - Win.Trojan.Nodslit (blacklist.rules) * 1:36803 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center img buffer overflow attempt (server-other.rules) * 1:36801 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ruinmail outbound connection (malware-cnc.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36789 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt (browser-firefox.rules) * 1:36790 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36791 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt (browser-ie.rules) * 1:36792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access (browser-plugins.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36796 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36798 <-> DISABLED <-> EXPLOIT-KIT KaiXin exploit kit landing page detected (exploit-kit.rules) * 1:36802 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit browser version detection attempt (exploit-kit.rules) * 1:36799 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cbbps0.lh1.in - Trojan.Win32.Ruinmail.A (blacklist.rules)
* 1:12417 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access (browser-plugins.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:20632 <-> DISABLED <-> SERVER-WEBAPP AnnoncesV annonce.php remote file include attempt (server-webapp.rules) * 1:21669 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt (protocol-voip.rules) * 1:24793 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit Java Class download (exploit-kit.rules) * 1:24794 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24795 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24796 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24797 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24888 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:28911 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection (exploit-kit.rules) * 1:366 <-> DISABLED <-> PROTOCOL-ICMP PING Unix (protocol-icmp.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36808 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nodslit variant outbound connection attempt (malware-cnc.rules) * 1:36806 <-> ENABLED <-> BLACKLIST DNS request for known malware domain desktopicon.net - Win.Trojan.Nodslit (blacklist.rules) * 1:36805 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows wininet peerdistsvc.dll dll-load exploit attempt (os-windows.rules) * 1:36803 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center img buffer overflow attempt (server-other.rules) * 1:36802 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit browser version detection attempt (exploit-kit.rules) * 1:36801 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ruinmail outbound connection (malware-cnc.rules) * 1:36799 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cbbps0.lh1.in - Trojan.Win32.Ruinmail.A (blacklist.rules) * 1:36798 <-> DISABLED <-> EXPLOIT-KIT KaiXin exploit kit landing page detected (exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36796 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36795 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36794 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36793 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive playAudioFile.jsp directory traversal attempt (server-webapp.rules) * 1:36792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access (browser-plugins.rules) * 1:36791 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer data stream header remote code execution attempt (browser-ie.rules) * 1:36790 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36789 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Javascript large regex memory corruption attempt (browser-firefox.rules)
* 1:12417 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Visual FoxPro ActiveX clsid access (browser-plugins.rules) * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules) * 1:20632 <-> DISABLED <-> SERVER-WEBAPP AnnoncesV annonce.php remote file include attempt (server-webapp.rules) * 1:21669 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt (protocol-voip.rules) * 1:24793 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit Java Class download (exploit-kit.rules) * 1:24794 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24795 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24796 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24797 <-> DISABLED <-> EXPLOIT-KIT Multiple exploit kit Class download attempt (exploit-kit.rules) * 1:24888 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:28911 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection (exploit-kit.rules) * 1:366 <-> DISABLED <-> PROTOCOL-ICMP PING Unix (protocol-icmp.rules) * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)