Talos has added and modified multiple rules in the browser-other, browser-plugins, browser-webkit, file-flash, file-office, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38393 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38392 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
* 1:25124 <-> DISABLED <-> BROWSER-OTHER suspicious named empty form detected (browser-other.rules) * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules) * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules) * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules) * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules) * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38393 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules) * 1:38392 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules) * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
* 1:25124 <-> DISABLED <-> BROWSER-OTHER suspicious named empty form detected (browser-other.rules) * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules) * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules) * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules) * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules) * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules) * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules) * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules) * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38393 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules) * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules) * 1:38392 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)
* 1:25124 <-> DISABLED <-> BROWSER-OTHER suspicious named empty form detected (browser-other.rules) * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules) * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules) * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules) * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules) * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
