Talos has added and modified multiple rules in the file-office and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS update request (malware-cnc.rules) * 1:39327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoRoger outbound POST attempt (malware-cnc.rules) * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS initial outbound connection (malware-cnc.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS status update (malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules)
* 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS status update (malware-cnc.rules) * 1:39342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS initial outbound connection (malware-cnc.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoRoger outbound POST attempt (malware-cnc.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS update request (malware-cnc.rules)
* 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoRoger outbound POST attempt (malware-cnc.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS initial outbound connection (malware-cnc.rules) * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS update request (malware-cnc.rules) * 1:39344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS status update (malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules)
* 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules) * 1:39345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS update request (malware-cnc.rules) * 1:39344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS status update (malware-cnc.rules) * 1:39343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration (malware-cnc.rules) * 1:39342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS initial outbound connection (malware-cnc.rules) * 1:39341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration (malware-cnc.rules) * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39330 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39329 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39328 <-> DISABLED <-> SERVER-WEBAPP TikiWiki tiki-calendar.php template command injection attempt (server-webapp.rules) * 1:39327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoRoger outbound POST attempt (malware-cnc.rules)
* 1:38150 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
