Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:36902 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36900 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36888 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules) * 1:36891 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:36892 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:36895 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules) * 1:36897 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules) * 1:36893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trfijan outbound connection (malware-cnc.rules) * 1:36894 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules) * 1:36890 <-> ENABLED <-> MALWARE-CNC AbbadonPOS variant outbound connection (malware-cnc.rules) * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules) * 1:36901 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36899 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36898 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)
* 1:25004 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:25005 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:35648 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules) * 1:35649 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules) * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36143 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules) * 1:36145 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules) * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules) * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36891 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:36901 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36895 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules) * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:36893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trfijan outbound connection (malware-cnc.rules) * 1:36894 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules) * 1:36899 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36898 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules) * 1:36900 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36888 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules) * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules) * 1:36892 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:36902 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36890 <-> ENABLED <-> MALWARE-CNC AbbadonPOS variant outbound connection (malware-cnc.rules) * 1:36897 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)
* 1:25004 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:25005 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:35648 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules) * 1:35649 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules) * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36145 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules) * 1:36143 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules) * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules) * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36902 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36901 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36900 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules) * 1:36899 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36898 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules) * 1:36897 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules) * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:36895 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules) * 1:36894 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules) * 1:36893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trfijan outbound connection (malware-cnc.rules) * 1:36892 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:36891 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:36890 <-> ENABLED <-> MALWARE-CNC AbbadonPOS variant outbound connection (malware-cnc.rules) * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules) * 1:36888 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
* 1:25004 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:25005 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules) * 1:35648 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules) * 1:35649 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules) * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules) * 1:36145 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules) * 1:36143 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules) * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules) * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
