Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, malware-other and policy-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38446 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38447 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38449 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38448 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38445 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:38454 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38453 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38452 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38450 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38451 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38435 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules) * 1:38436 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules) * 1:38437 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules) * 1:38438 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit questions uri request attempt (exploit-kit.rules) * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules) * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules) * 1:38441 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38442 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38443 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38444 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38456 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:38457 <-> DISABLED <-> POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt (policy-other.rules)
* 1:10202 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules) * 1:10208 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules) * 1:12307 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules) * 1:12317 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules) * 1:12326 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules) * 1:12332 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules) * 1:12335 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules) * 1:12341 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules) * 1:12347 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules) * 1:17634 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt (netbios.rules) * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules) * 1:17714 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules) * 1:17715 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules) * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:37014 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:38454 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38453 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38452 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38450 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38446 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38447 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38448 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38449 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38435 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules) * 1:38436 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules) * 1:38437 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules) * 1:38438 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit questions uri request attempt (exploit-kit.rules) * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules) * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules) * 1:38441 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38442 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38443 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38444 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38445 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38456 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:38451 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38457 <-> DISABLED <-> POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt (policy-other.rules)
* 1:10202 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules) * 1:10208 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules) * 1:12307 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules) * 1:12317 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules) * 1:12326 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules) * 1:12332 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules) * 1:12335 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules) * 1:12341 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules) * 1:12347 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules) * 1:17634 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt (netbios.rules) * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules) * 1:17714 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules) * 1:17715 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules) * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:37014 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38457 <-> DISABLED <-> POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt (policy-other.rules) * 1:38456 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:38455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:38454 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38453 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38452 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38451 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38450 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38449 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38448 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38447 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38446 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38445 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38444 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38443 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38442 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38441 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules) * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules) * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules) * 1:38438 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit questions uri request attempt (exploit-kit.rules) * 1:38437 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules) * 1:38436 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules) * 1:38435 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)
* 1:10202 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules) * 1:10208 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules) * 1:12307 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules) * 1:12317 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules) * 1:12326 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules) * 1:12332 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules) * 1:12335 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules) * 1:12341 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules) * 1:12347 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules) * 1:17634 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt (netbios.rules) * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules) * 1:17714 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules) * 1:17715 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules) * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:37014 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
