Talos has added and modified multiple rules in the file-pdf, indicator-obfuscation, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules) * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
* 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules) * 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules) * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules) * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
* 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules) * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules) * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules) * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules) * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
* 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules) * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules) * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules) * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules) * 1:39326 <-> DISABLED <-> SERVER-APACHE Apache Continuum saveInstallation.action command injection attempt (server-apache.rules) * 1:39325 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules) * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:39322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:39324 <-> DISABLED <-> SERVER-WEBAPP Bomgar Remote Support session_complete PHP object injection attempt (server-webapp.rules)
* 1:37516 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:33483 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallMonster variant outbound connection (pua-adware.rules) * 1:25050 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:39102 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:39103 <-> ENABLED <-> FILE-PDF Adobe Reader PDF embedded JPEG memory corruption attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
