Talos has added and modified multiple rules in the blacklist, browser-plugins, file-executable, malware-cnc, malware-other, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39359 <-> DISABLED <-> SERVER-WEBAPP WordPress Ninja Forms nf_async_upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:39364 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39376 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39375 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39360 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:39363 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39357 <-> ENABLED <-> MALWARE-OTHER Flopex outbound communication attempt (malware-other.rules) * 1:39358 <-> DISABLED <-> SERVER-WEBAPP Cisco DPC2420 router configuration file access attempt (server-webapp.rules) * 1:39356 <-> ENABLED <-> MALWARE-OTHER Lamer outbound communication attempt (malware-other.rules) * 1:39365 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39366 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39367 <-> ENABLED <-> BLACKLIST DNS request for known malware domain up-king.com - Win.Trojan.Lorozoad (blacklist.rules) * 1:39377 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39361 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain iraqicaht.ddns.net - Win.Trojan.Lorozoad (blacklist.rules) * 1:39362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lorozoad variant outbound connection (malware-cnc.rules) * 1:39372 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39373 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39374 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39378 <-> DISABLED <-> PROTOCOL-FTP PUT overflow attempt (protocol-ftp.rules) * 3:39379 <-> ENABLED <-> FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt (file-executable.rules) * 3:39371 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API default credentials authentication attempt (server-webapp.rules) * 3:39370 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API authentication bypass attempt (server-webapp.rules)
* 1:28437 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:28438 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:2343 <-> DISABLED <-> PROTOCOL-FTP STOR overflow attempt (protocol-ftp.rules) * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39356 <-> ENABLED <-> MALWARE-OTHER Lamer outbound communication attempt (malware-other.rules) * 1:39363 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39364 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39374 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lorozoad variant outbound connection (malware-cnc.rules) * 1:39373 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain iraqicaht.ddns.net - Win.Trojan.Lorozoad (blacklist.rules) * 1:39367 <-> ENABLED <-> BLACKLIST DNS request for known malware domain up-king.com - Win.Trojan.Lorozoad (blacklist.rules) * 1:39366 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39365 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39359 <-> DISABLED <-> SERVER-WEBAPP WordPress Ninja Forms nf_async_upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:39361 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39360 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:39372 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39376 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39358 <-> DISABLED <-> SERVER-WEBAPP Cisco DPC2420 router configuration file access attempt (server-webapp.rules) * 1:39377 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39375 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39357 <-> ENABLED <-> MALWARE-OTHER Flopex outbound communication attempt (malware-other.rules) * 1:39378 <-> DISABLED <-> PROTOCOL-FTP PUT overflow attempt (protocol-ftp.rules) * 3:39371 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API default credentials authentication attempt (server-webapp.rules) * 3:39379 <-> ENABLED <-> FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt (file-executable.rules) * 3:39370 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API authentication bypass attempt (server-webapp.rules)
* 1:28437 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:28438 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules) * 1:2343 <-> DISABLED <-> PROTOCOL-FTP STOR overflow attempt (protocol-ftp.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39359 <-> DISABLED <-> SERVER-WEBAPP WordPress Ninja Forms nf_async_upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:39361 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39363 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39364 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39365 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39357 <-> ENABLED <-> MALWARE-OTHER Flopex outbound communication attempt (malware-other.rules) * 1:39366 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39367 <-> ENABLED <-> BLACKLIST DNS request for known malware domain up-king.com - Win.Trojan.Lorozoad (blacklist.rules) * 1:39368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain iraqicaht.ddns.net - Win.Trojan.Lorozoad (blacklist.rules) * 1:39369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lorozoad variant outbound connection (malware-cnc.rules) * 1:39372 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39373 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39374 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39375 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39356 <-> ENABLED <-> MALWARE-OTHER Lamer outbound communication attempt (malware-other.rules) * 1:39378 <-> DISABLED <-> PROTOCOL-FTP PUT overflow attempt (protocol-ftp.rules) * 1:39377 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39376 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39358 <-> DISABLED <-> SERVER-WEBAPP Cisco DPC2420 router configuration file access attempt (server-webapp.rules) * 1:39360 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 3:39379 <-> ENABLED <-> FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt (file-executable.rules) * 3:39370 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API authentication bypass attempt (server-webapp.rules) * 3:39371 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API default credentials authentication attempt (server-webapp.rules)
* 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules) * 1:2343 <-> DISABLED <-> PROTOCOL-FTP STOR overflow attempt (protocol-ftp.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:28437 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:28438 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39378 <-> DISABLED <-> PROTOCOL-FTP PUT overflow attempt (protocol-ftp.rules) * 1:39377 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39376 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:39375 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39374 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39373 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39372 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVueXCtrl ActiveX clsid access attempt (browser-plugins.rules) * 1:39369 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lorozoad variant outbound connection (malware-cnc.rules) * 1:39368 <-> ENABLED <-> BLACKLIST DNS request for known malware domain iraqicaht.ddns.net - Win.Trojan.Lorozoad (blacklist.rules) * 1:39367 <-> ENABLED <-> BLACKLIST DNS request for known malware domain up-king.com - Win.Trojan.Lorozoad (blacklist.rules) * 1:39366 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39365 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler popup.php command injection attempt (server-webapp.rules) * 1:39364 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39363 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler index.php command injection attempt (server-webapp.rules) * 1:39362 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39361 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:39360 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:39359 <-> DISABLED <-> SERVER-WEBAPP WordPress Ninja Forms nf_async_upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:39358 <-> DISABLED <-> SERVER-WEBAPP Cisco DPC2420 router configuration file access attempt (server-webapp.rules) * 1:39357 <-> ENABLED <-> MALWARE-OTHER Flopex outbound communication attempt (malware-other.rules) * 1:39356 <-> ENABLED <-> MALWARE-OTHER Lamer outbound communication attempt (malware-other.rules) * 3:39371 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API default credentials authentication attempt (server-webapp.rules) * 3:39379 <-> ENABLED <-> FILE-EXECUTABLE Norton Antivirus ASPack heap corruption attempt (file-executable.rules) * 3:39370 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure API authentication bypass attempt (server-webapp.rules)
* 1:31174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sapart variant outbound connection (malware-cnc.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:2343 <-> DISABLED <-> PROTOCOL-FTP STOR overflow attempt (protocol-ftp.rules) * 1:28437 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:28438 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX function call access attempt (browser-plugins.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
