Talos has added and modified multiple rules in the browser-plugins, exploit-kit and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38140 <-> DISABLED <-> SERVER-WEBAPP ATutor connections.php SQL injection attempt (server-webapp.rules) * 1:38141 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38143 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38145 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules) * 1:38146 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38147 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38148 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38149 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules) * 1:38151 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:38152 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38153 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38154 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38155 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38156 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38157 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38142 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38144 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38163 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules) * 1:38161 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:38162 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules) * 1:38160 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate detected (exploit-kit.rules) * 1:38159 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38158 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules)
* 1:16587 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:16305 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:16307 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:16537 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:18542 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38163 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit view uri request attempt (exploit-kit.rules) * 1:38162 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit viewthread uri request attempt (exploit-kit.rules) * 1:38161 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules) * 1:38160 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit gate detected (exploit-kit.rules) * 1:38159 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38158 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38157 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38156 <-> DISABLED <-> SERVER-WEBAPP 29o3 CMS LibDir parameter multiple remote file include attempt (server-webapp.rules) * 1:38155 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38154 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38153 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38152 <-> DISABLED <-> BROWSER-PLUGINS WebGate WESPDiscovery ActiveX clsid access attempt (browser-plugins.rules) * 1:38151 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules) * 1:38149 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38148 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38147 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38146 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Server Monitor ActiveX clsid access attempt (browser-plugins.rules) * 1:38145 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter variant outbound connection (malware-cnc.rules) * 1:38144 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38143 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38142 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38141 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:38140 <-> DISABLED <-> SERVER-WEBAPP ATutor connections.php SQL injection attempt (server-webapp.rules)
* 1:16305 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:16307 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:16537 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules) * 1:16587 <-> DISABLED <-> BROWSER-PLUGINS Symantec Altiris Deployment Solution ActiveX clsid access attempt (browser-plugins.rules) * 1:18542 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Media Player ActiveX unknown compression algorithm use after free attempt (browser-plugins.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
