Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, exploit-kit, file-executable, file-image, file-java, indicator-obfuscation, malware-cnc, malware-other, os-linux, os-other, policy-other, protocol-dns, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:38348 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:38360 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules) * 1:38361 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules) * 1:38362 <-> DISABLED <-> BROWSER-OTHER HTTP Evader ICY header evasion attempt (browser-other.rules) * 1:38363 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules) * 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules) * 1:38349 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:38351 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt (server-webapp.rules) * 1:38350 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules) * 3:38346 <-> ENABLED <-> OS-LINUX Linux kernel SCTP INIT null pointer dereference attempt (os-linux.rules) * 3:38347 <-> ENABLED <-> FILE-EXECUTABLE PHP libmagic PE out of bounds memory access attempt (file-executable.rules)
* 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:24737 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:25121 <-> ENABLED <-> FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt (file-java.rules) * 1:6697 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (file-image.rules) * 1:24328 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24327 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24330 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:18710 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules) * 1:23790 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt (browser-firefox.rules) * 1:24325 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24326 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24324 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:16561 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules) * 1:24333 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24332 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:6405 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules) * 1:36798 <-> ENABLED <-> EXPLOIT-KIT GongDa landing page detected (exploit-kit.rules) * 1:24996 <-> DISABLED <-> SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt (server-other.rules) * 1:27244 <-> ENABLED <-> SERVER-APACHE Apache Struts2 blacklisted method redirect (server-apache.rules) * 1:28985 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules) * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 1:31455 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules) * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules) * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules) * 1:24331 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules) * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules) * 1:38363 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules) * 1:38362 <-> DISABLED <-> BROWSER-OTHER HTTP Evader ICY header evasion attempt (browser-other.rules) * 1:38361 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules) * 1:38360 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:38351 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt (server-webapp.rules) * 1:38350 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules) * 1:38349 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules) * 1:38348 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules) * 3:38346 <-> ENABLED <-> OS-LINUX Linux kernel SCTP INIT null pointer dereference attempt (os-linux.rules) * 3:38347 <-> ENABLED <-> FILE-EXECUTABLE PHP libmagic PE out of bounds memory access attempt (file-executable.rules)
* 1:24330 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24327 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24328 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24325 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24326 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:23790 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt (browser-firefox.rules) * 1:24324 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:18710 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules) * 1:16561 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1 (file-image.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 1:6697 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (file-image.rules) * 1:6405 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules) * 1:36798 <-> ENABLED <-> EXPLOIT-KIT GongDa landing page detected (exploit-kit.rules) * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules) * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules) * 1:31455 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules) * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules) * 1:28985 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules) * 1:27244 <-> ENABLED <-> SERVER-APACHE Apache Struts2 blacklisted method redirect (server-apache.rules) * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules) * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules) * 1:24996 <-> DISABLED <-> SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt (server-other.rules) * 1:25121 <-> ENABLED <-> FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt (file-java.rules) * 1:24737 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24333 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24332 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 1:24331 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules) * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules) * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
