Talos has added and modified multiple rules in the app-detect, blacklist, browser-plugins, file-flash, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules) * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37039 <-> DISABLED <-> SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt (server-webapp.rules) * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules) * 1:37037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection (malware-cnc.rules) * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37038 <-> DISABLED <-> SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt (server-webapp.rules) * 1:37040 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37041 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37042 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37043 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovtar outbound connection (malware-cnc.rules) * 1:37046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera (blacklist.rules) * 1:37047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vonterra outbound communication (malware-cnc.rules) * 1:37048 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bookworm variant outbound connection (malware-cnc.rules) * 1:37049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geratid variant outbound connection (malware-cnc.rules) * 1:37051 <-> ENABLED <-> MALWARE-CNC ATSEngine credit card number sent via URL parameter (malware-cnc.rules) * 1:37050 <-> ENABLED <-> MALWARE-CNC ATSEngine initial beacon (malware-cnc.rules) * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules) * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt (malware-cnc.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Paligenpo outbound connection (malware-cnc.rules) * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telehot outbound connection (malware-cnc.rules) * 1:37065 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound connection (malware-cnc.rules) * 1:37066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload (malware-cnc.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection (malware-cnc.rules) * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules) * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
* 1:8375 <-> DISABLED <-> BROWSER-PLUGINS QuickTime Object ActiveX clsid access (browser-plugins.rules) * 1:11826 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules) * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC (malware-cnc.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:11232 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:11830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt (browser-plugins.rules) * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37039 <-> DISABLED <-> SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt (server-webapp.rules) * 1:37037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection (malware-cnc.rules) * 1:37038 <-> DISABLED <-> SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt (server-webapp.rules) * 1:37040 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37041 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37042 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37043 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera (blacklist.rules) * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovtar outbound connection (malware-cnc.rules) * 1:37047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vonterra outbound communication (malware-cnc.rules) * 1:37048 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bookworm variant outbound connection (malware-cnc.rules) * 1:37049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geratid variant outbound connection (malware-cnc.rules) * 1:37051 <-> ENABLED <-> MALWARE-CNC ATSEngine credit card number sent via URL parameter (malware-cnc.rules) * 1:37050 <-> ENABLED <-> MALWARE-CNC ATSEngine initial beacon (malware-cnc.rules) * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules) * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt (malware-cnc.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Paligenpo outbound connection (malware-cnc.rules) * 1:37064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telehot outbound connection (malware-cnc.rules) * 1:37065 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound connection (malware-cnc.rules) * 1:37066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload (malware-cnc.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection (malware-cnc.rules) * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules) * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules) * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules) * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
* 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules) * 1:8375 <-> DISABLED <-> BROWSER-PLUGINS QuickTime Object ActiveX clsid access (browser-plugins.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC (malware-cnc.rules) * 1:11830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:11232 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:11826 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt (browser-plugins.rules) * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules) * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules) * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules) * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules) * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules) * 1:37068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection (malware-cnc.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload (malware-cnc.rules) * 1:37065 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound connection (malware-cnc.rules) * 1:37064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telehot outbound connection (malware-cnc.rules) * 1:37063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Paligenpo outbound connection (malware-cnc.rules) * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt (malware-cnc.rules) * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules) * 1:37051 <-> ENABLED <-> MALWARE-CNC ATSEngine credit card number sent via URL parameter (malware-cnc.rules) * 1:37050 <-> ENABLED <-> MALWARE-CNC ATSEngine initial beacon (malware-cnc.rules) * 1:37049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geratid variant outbound connection (malware-cnc.rules) * 1:37048 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bookworm variant outbound connection (malware-cnc.rules) * 1:37047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vonterra outbound communication (malware-cnc.rules) * 1:37046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera (blacklist.rules) * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovtar outbound connection (malware-cnc.rules) * 1:37044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37043 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37042 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37041 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37040 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 1:37039 <-> DISABLED <-> SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt (server-webapp.rules) * 1:37038 <-> DISABLED <-> SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt (server-webapp.rules) * 1:37037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection (malware-cnc.rules)
* 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules) * 1:8375 <-> DISABLED <-> BROWSER-PLUGINS QuickTime Object ActiveX clsid access (browser-plugins.rules) * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC (malware-cnc.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:11826 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:11830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:11232 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules) * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
