Talos has added and modified multiple rules in the blacklist, browser-plugins, file-other, file-pdf, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39067 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer register cross site scripting attempt (server-webapp.rules) * 1:39069 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer list cross site scripting attempt (server-webapp.rules) * 1:39064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection attempt (malware-cnc.rules) * 1:39063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot outbound POST attempt (malware-cnc.rules) * 1:39057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webshell.jexboss.net - JSP webshell backdoor (blacklist.rules) * 1:39059 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39060 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver UDDISecurityImplBean SQL injection attempt (server-webapp.rules) * 1:39061 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39058 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39062 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39066 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules) * 1:39054 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 1:39068 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer unregister cross site scripting attempt (server-webapp.rules) * 1:39055 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 1:39056 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rofin variant outbound connection (malware-cnc.rules) * 3:39065 <-> ENABLED <-> SERVER-OTHER Cisco IOS NX invalid ICMPv6 neighbor discovery hop limit denial of service attempt (server-other.rules)
* 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39062 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39059 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39055 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 1:39066 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules) * 1:39069 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer list cross site scripting attempt (server-webapp.rules) * 1:39060 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver UDDISecurityImplBean SQL injection attempt (server-webapp.rules) * 1:39061 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webshell.jexboss.net - JSP webshell backdoor (blacklist.rules) * 1:39058 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39056 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rofin variant outbound connection (malware-cnc.rules) * 1:39063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot outbound POST attempt (malware-cnc.rules) * 1:39067 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer register cross site scripting attempt (server-webapp.rules) * 1:39064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection attempt (malware-cnc.rules) * 1:39068 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer unregister cross site scripting attempt (server-webapp.rules) * 1:39054 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 3:39065 <-> ENABLED <-> SERVER-OTHER Cisco IOS NX invalid ICMPv6 neighbor discovery hop limit denial of service attempt (server-other.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39066 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules) * 1:39064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection attempt (malware-cnc.rules) * 1:39063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot outbound POST attempt (malware-cnc.rules) * 1:39060 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver UDDISecurityImplBean SQL injection attempt (server-webapp.rules) * 1:39059 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39056 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rofin variant outbound connection (malware-cnc.rules) * 1:39057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webshell.jexboss.net - JSP webshell backdoor (blacklist.rules) * 1:39058 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39061 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39062 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39069 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer list cross site scripting attempt (server-webapp.rules) * 1:39068 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer unregister cross site scripting attempt (server-webapp.rules) * 1:39054 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 1:39055 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 1:39067 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer register cross site scripting attempt (server-webapp.rules) * 3:39065 <-> ENABLED <-> SERVER-OTHER Cisco IOS NX invalid ICMPv6 neighbor discovery hop limit denial of service attempt (server-other.rules)
* 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39069 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer list cross site scripting attempt (server-webapp.rules) * 1:39068 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer unregister cross site scripting attempt (server-webapp.rules) * 1:39067 <-> DISABLED <-> SERVER-WEBAPP SAP Netweaver Java Proxy Runtime ProxyServer register cross site scripting attempt (server-webapp.rules) * 1:39066 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules) * 1:39064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection attempt (malware-cnc.rules) * 1:39063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot outbound POST attempt (malware-cnc.rules) * 1:39062 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39061 <-> ENABLED <-> FILE-PDF Adobe Reader XFA API preOpen use after free attempt (file-pdf.rules) * 1:39060 <-> DISABLED <-> SERVER-WEBAPP SAP NetWeaver UDDISecurityImplBean SQL injection attempt (server-webapp.rules) * 1:39059 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39058 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:39057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webshell.jexboss.net - JSP webshell backdoor (blacklist.rules) * 1:39056 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rofin variant outbound connection (malware-cnc.rules) * 1:39055 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 1:39054 <-> DISABLED <-> BROWSER-PLUGINS Siemens Automation License Manager ActiveX clsid access attempt (browser-plugins.rules) * 3:39065 <-> ENABLED <-> SERVER-OTHER Cisco IOS NX invalid ICMPv6 neighbor discovery hop limit denial of service attempt (server-other.rules)
* 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
