Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-office, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37872 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules) * 1:37873 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules) * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:37871 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37861 <-> DISABLED <-> SERVER-OTHER SafeNEt SoftRemote IKE service buffer overflow attempt (server-other.rules) * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37858 <-> DISABLED <-> SERVER-WEBAPP Thru Managed File Transfer Portal command injection attempt (server-webapp.rules)
* 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37598 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word external document access use-after-free attempt (file-office.rules) * 1:37599 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word external document access use-after-free attempt (file-office.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:17724 <-> DISABLED <-> OS-WINDOWS Microsoft IIS malicious ASP file upload attempt (os-windows.rules) * 1:36720 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt (file-office.rules) * 1:12168 <-> DISABLED <-> BROWSER-PLUGINS Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access (browser-plugins.rules) * 1:36721 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt (file-office.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37858 <-> DISABLED <-> SERVER-WEBAPP Thru Managed File Transfer Portal command injection attempt (server-webapp.rules) * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37861 <-> DISABLED <-> SERVER-OTHER SafeNEt SoftRemote IKE service buffer overflow attempt (server-other.rules) * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:37871 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:37872 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules) * 1:37873 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules)
* 1:37598 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word external document access use-after-free attempt (file-office.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:36720 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt (file-office.rules) * 1:17724 <-> DISABLED <-> OS-WINDOWS Microsoft IIS malicious ASP file upload attempt (os-windows.rules) * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:12168 <-> DISABLED <-> BROWSER-PLUGINS Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access (browser-plugins.rules) * 1:37599 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word external document access use-after-free attempt (file-office.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:36721 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37873 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules) * 1:37872 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules) * 1:37871 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:37870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:37861 <-> DISABLED <-> SERVER-OTHER SafeNEt SoftRemote IKE service buffer overflow attempt (server-other.rules) * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37858 <-> DISABLED <-> SERVER-WEBAPP Thru Managed File Transfer Portal command injection attempt (server-webapp.rules)
* 1:36720 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt (file-office.rules) * 1:17724 <-> DISABLED <-> OS-WINDOWS Microsoft IIS malicious ASP file upload attempt (os-windows.rules) * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules) * 1:12168 <-> DISABLED <-> BROWSER-PLUGINS Computer Associates ETrust Intrusion Detection Caller.DLL ActiveX clsid access (browser-plugins.rules) * 1:37599 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word external document access use-after-free attempt (file-office.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37598 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word external document access use-after-free attempt (file-office.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:3689 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer tRNS overflow attempt (browser-ie.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:36721 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word CoCreateInstance elevation of privilege attempt (file-office.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
