Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, malware-cnc, malware-tools, os-linux, os-windows, pua-adware, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37625 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules) * 1:37636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:37635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules) * 1:37632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37654 <-> DISABLED <-> OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (os-linux.rules) * 1:36903 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules) * 1:37626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules) * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules) * 1:37637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:37638 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37639 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37640 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37641 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37643 <-> DISABLED <-> SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt (sql.rules) * 1:37642 <-> DISABLED <-> PUA-ADWARE Win.Adware.Dealply outbound POST attempt (pua-adware.rules) * 1:37644 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:37645 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:37631 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant dropper download connection (malware-cnc.rules) * 1:37647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules) * 1:37648 <-> DISABLED <-> SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt (sql.rules) * 1:37649 <-> DISABLED <-> FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt (file-other.rules) * 1:37651 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules) * 1:37650 <-> DISABLED <-> FILE-OTHER CA BrightStor stack buffer overflow attempt (file-other.rules) * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
* 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules) * 1:15192 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules) * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules) * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules) * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules) * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:34874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:37016 <-> ENABLED <-> EXPLOIT-KIT DoloMalo exploit kit packer detected (exploit-kit.rules) * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:37635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules) * 1:37630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37631 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:36903 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules) * 1:37625 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules) * 1:37626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules) * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules) * 1:37637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:37638 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37639 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37640 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37642 <-> DISABLED <-> PUA-ADWARE Win.Adware.Dealply outbound POST attempt (pua-adware.rules) * 1:37641 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37643 <-> DISABLED <-> SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt (sql.rules) * 1:37644 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:37645 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:37647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules) * 1:37646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant dropper download connection (malware-cnc.rules) * 1:37648 <-> DISABLED <-> SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt (sql.rules) * 1:37649 <-> DISABLED <-> FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt (file-other.rules) * 1:37650 <-> DISABLED <-> FILE-OTHER CA BrightStor stack buffer overflow attempt (file-other.rules) * 1:37634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37654 <-> DISABLED <-> OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (os-linux.rules) * 1:37651 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules) * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
* 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules) * 1:15192 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules) * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules) * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules) * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules) * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:34874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:37016 <-> ENABLED <-> EXPLOIT-KIT DoloMalo exploit kit packer detected (exploit-kit.rules) * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37654 <-> DISABLED <-> OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (os-linux.rules) * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37651 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules) * 1:37650 <-> DISABLED <-> FILE-OTHER CA BrightStor stack buffer overflow attempt (file-other.rules) * 1:37649 <-> DISABLED <-> FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt (file-other.rules) * 1:37648 <-> DISABLED <-> SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt (sql.rules) * 1:37647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules) * 1:37646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant dropper download connection (malware-cnc.rules) * 1:37645 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:37644 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:37643 <-> DISABLED <-> SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt (sql.rules) * 1:37642 <-> DISABLED <-> PUA-ADWARE Win.Adware.Dealply outbound POST attempt (pua-adware.rules) * 1:37641 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37640 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37639 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37638 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 1:37637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:37636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:37635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules) * 1:37634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37631 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules) * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules) * 1:37626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules) * 1:37625 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules) * 1:36903 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)
* 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules) * 1:15192 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules) * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules) * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules) * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules) * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:34874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules) * 1:37016 <-> ENABLED <-> EXPLOIT-KIT DoloMalo exploit kit packer detected (exploit-kit.rules) * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules)