Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules) * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules) * 1:38879 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules) * 1:38940 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38941 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38942 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38943 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules) * 1:38944 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules) * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38936 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38913 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules) * 1:38915 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38912 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules) * 1:38911 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules) * 1:38908 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules) * 1:38910 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38907 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules) * 1:38905 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules) * 1:38906 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules) * 1:38903 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules) * 1:38901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules) * 1:38902 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules) * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38895 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules) * 1:38896 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules) * 1:38893 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38892 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:38891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts initial registration (malware-cnc.rules) * 1:38888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:38887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection (malware-cnc.rules) * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules) * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38880 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules) * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:38939 <-> DISABLED <-> SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt (server-webapp.rules) * 1:38938 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:38877 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38878 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection attempt (malware-cnc.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules) * 1:38899 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules) * 1:38904 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules) * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:38909 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38914 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex download attempt (malware-cnc.rules) * 1:38917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant CNC traffic (malware-cnc.rules) * 1:38918 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules) * 1:38919 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules) * 1:38920 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38921 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:38923 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules) * 1:38924 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules) * 1:38925 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules) * 1:38935 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules) * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules) * 1:38926 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules) * 1:38927 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules) * 1:38932 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules) * 1:38930 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules) * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules) * 1:38929 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules) * 1:38931 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules) * 1:38928 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules) * 1:38937 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules)
* 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:29508 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:29507 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29409 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules) * 1:29410 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules) * 1:29506 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:24723 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules) * 1:29092 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:24725 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules) * 1:24726 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:24724 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules) * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules) * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules) * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules) * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:38877 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38878 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38879 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules) * 1:38880 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules) * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection attempt (malware-cnc.rules) * 1:38887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection (malware-cnc.rules) * 1:38888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:38891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts initial registration (malware-cnc.rules) * 1:38892 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38893 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38895 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules) * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules) * 1:38896 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules) * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules) * 1:38899 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules) * 1:38901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules) * 1:38902 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules) * 1:38903 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules) * 1:38905 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules) * 1:38904 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules) * 1:38906 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules) * 1:38907 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules) * 1:38908 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules) * 1:38910 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38909 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38911 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules) * 1:38912 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules) * 1:38913 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules) * 1:38915 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38914 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex download attempt (malware-cnc.rules) * 1:38917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant CNC traffic (malware-cnc.rules) * 1:38918 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules) * 1:38919 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules) * 1:38920 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38921 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:38923 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules) * 1:38924 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules) * 1:38925 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules) * 1:38926 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules) * 1:38927 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules) * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38944 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules) * 1:38943 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules) * 1:38942 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38941 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38940 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38939 <-> DISABLED <-> SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt (server-webapp.rules) * 1:38938 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38937 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38936 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38935 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:38932 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules) * 1:38931 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules) * 1:38930 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules) * 1:38928 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules) * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:38929 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules)
* 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:29508 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29507 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29410 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules) * 1:29506 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29092 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29409 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules) * 1:24725 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules) * 1:24726 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules) * 1:24723 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules) * 1:24724 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38944 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules) * 1:38943 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript out of bound memory corruption attempt (file-pdf.rules) * 1:38942 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38941 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38940 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet servlet directory traversal attempt (server-webapp.rules) * 1:38939 <-> DISABLED <-> SERVER-WEBAPP ORACLE-SERVER Oracle Application Testing Suite filename directory traversal attempt (server-webapp.rules) * 1:38938 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38937 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38936 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38935 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:38932 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules) * 1:38931 <-> ENABLED <-> FILE-PDF Adobe Reader submitForm read out of bounds attempt (file-pdf.rules) * 1:38930 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules) * 1:38929 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer user_id SQL injection attempt (server-webapp.rules) * 1:38928 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules) * 1:38927 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer setSkin SQL injection attempt (server-webapp.rules) * 1:38926 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules) * 1:38925 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer deleteTab SQL injection attempt (server-webapp.rules) * 1:38924 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules) * 1:38923 <-> ENABLED <-> FILE-PDF Adobe Reader compareDocuments JavaScript function use-after-free attempt (file-pdf.rules) * 1:38922 <-> DISABLED <-> INDICATOR-OBFUSCATION Brotli encoding evasion attempt (indicator-obfuscation.rules) * 1:38921 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38920 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38919 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules) * 1:38918 <-> ENABLED <-> FILE-PDF Adobe Reader createAVView JavaScript use-after-free attempt (file-pdf.rules) * 1:38917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant CNC traffic (malware-cnc.rules) * 1:38916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex download attempt (malware-cnc.rules) * 1:38915 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38914 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38913 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite directory traversal attempt (server-webapp.rules) * 1:38912 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules) * 1:38911 <-> ENABLED <-> FILE-PDF Adobe Reader DisablePermEnforcement JavaScript function use-after-free attempt (file-pdf.rules) * 1:38910 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38909 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38908 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules) * 1:38907 <-> ENABLED <-> FILE-PDF Adobe Reader PDF execMenuItem use after free attempt (file-pdf.rules) * 1:38906 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules) * 1:38905 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules) * 1:38904 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules) * 1:38903 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules) * 1:38902 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setPageAction execMenuItem use after free attempt (file-pdf.rules) * 1:38901 <-> ENABLED <-> FILE-PDF Adobe Reader PDF setAction execMenuItem use after free attempt (file-pdf.rules) * 1:38900 <-> ENABLED <-> FILE-PDF Adobe Reader PDF onEvent execMenuItem use after free attempt (file-pdf.rules) * 1:38899 <-> ENABLED <-> FILE-PDF Adobe Reader PDF defineGetter execMenuItem use after free attempt (file-pdf.rules) * 1:38898 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38897 <-> DISABLED <-> FILE-OTHER Adobe Illustrator CS4 aires.dll dll-load exploit attempt (file-other.rules) * 1:38896 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules) * 1:38895 <-> ENABLED <-> FILE-PDF Adobe Reader XFA prePrint use after free attempt (file-pdf.rules) * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules) * 1:38893 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38892 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38891 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts initial registration (malware-cnc.rules) * 1:38890 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts exfiltration attempt (malware-cnc.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:38888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:38887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection (malware-cnc.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection attempt (malware-cnc.rules) * 1:38885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound registration attempt (malware-cnc.rules) * 1:38884 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FileReference type confusion attempt (file-flash.rules) * 1:38880 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules) * 1:38879 <-> ENABLED <-> SERVER-WEBAPP HP Enterprise Vertica validateAdminConfig command injection attempt (server-webapp.rules) * 1:38878 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38877 <-> ENABLED <-> FILE-PDF Adobe Reader trusted JavaScript function security bypass attempt (file-pdf.rules) * 1:38876 <-> DISABLED <-> EXPLOIT-KIT Obfuscated exploit download attempt (exploit-kit.rules) * 1:35718 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35717 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35716 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35715 <-> ENABLED <-> FILE-MULTIMEDIA Apple QuickTime mdat atom corruption out of bounds read attempt (file-multimedia.rules) * 1:35714 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules) * 1:35713 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid dref atom out of bounds read attempt (file-multimedia.rules) * 1:35712 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules) * 1:35711 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid alis atom out of bounds read attempt (file-multimedia.rules) * 1:35627 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35626 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35625 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules) * 1:35624 <-> DISABLED <-> FILE-MULTIMEDIA Apple Quicktime invalid samr atom out of bounds read attempt (file-multimedia.rules)
* 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:29508 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules) * 1:29506 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29507 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:29409 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules) * 1:29410 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader javascript toolbar button use after free attempt (file-pdf.rules) * 1:24726 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules) * 1:29092 <-> DISABLED <-> BROWSER-PLUGINS ABB Test Signal Viewer CWGraph3D ActiveX clsid access attempt (browser-plugins.rules) * 1:24725 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules) * 1:24723 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX clsid access attempt (browser-plugins.rules) * 1:24724 <-> DISABLED <-> BROWSER-PLUGINS IBM Rational Rhapsody BBFlashback ActiveX function call access attempt (browser-plugins.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
