Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-image, file-other, file-pdf, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules) * 1:39650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt (malware-cnc.rules) * 1:39636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Ranscam request.html response (malware-cnc.rules) * 1:39651 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules) * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules) * 1:39648 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39649 <-> ENABLED <-> BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39637 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt (malware-other.rules) * 1:39647 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules) * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules) * 1:39638 <-> DISABLED <-> MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt (malware-tools.rules) * 1:39643 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mangit initial outbound connection (malware-cnc.rules) * 1:39654 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules) * 1:39655 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules) * 1:39644 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules) * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules) * 1:39646 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules) * 1:39670 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules) * 1:39669 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules) * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules) * 3:39672 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules) * 3:39673 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39663 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules) * 3:39674 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39671 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules) * 3:39664 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules) * 3:39675 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39676 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39667 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules) * 3:39668 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
* 1:38275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection attempt (exploit-kit.rules) * 1:39241 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules) * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 3:35829 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules) * 3:35828 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules) * 1:39648 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules) * 1:39643 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:39647 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Ranscam request.html response (malware-cnc.rules) * 1:39637 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt (malware-other.rules) * 1:39638 <-> DISABLED <-> MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt (malware-tools.rules) * 1:39650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt (malware-cnc.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39651 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules) * 1:39644 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mangit initial outbound connection (malware-cnc.rules) * 1:39654 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules) * 1:39655 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules) * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules) * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules) * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules) * 1:39649 <-> ENABLED <-> BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39670 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules) * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules) * 1:39646 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39669 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules) * 3:39673 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules) * 3:39663 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules) * 3:39664 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules) * 3:39666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39668 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39671 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules) * 3:39672 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules) * 3:39665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39674 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39675 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39676 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules) * 3:39667 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules)
* 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules) * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules) * 1:39241 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection attempt (exploit-kit.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 3:35829 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules) * 3:35828 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39670 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules) * 1:39669 <-> DISABLED <-> FILE-PDF Adobe Reader submitForm SOP bypass attempt (file-pdf.rules) * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules) * 1:39659 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules) * 1:39658 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Transform getter use after free attempt (file-flash.rules) * 1:39657 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules) * 1:39656 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader JPEG handling memory corruption attempt (file-flash.rules) * 1:39655 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules) * 1:39654 <-> ENABLED <-> SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt (server-mail.rules) * 1:39653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mangit initial outbound connection (malware-cnc.rules) * 1:39652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules) * 1:39651 <-> ENABLED <-> FILE-FLASH Adobe Flash Player swapDepths use after free attempt (file-flash.rules) * 1:39650 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt (malware-cnc.rules) * 1:39649 <-> ENABLED <-> BLACKLIST DNS request for known malware domain denoted-chioces.com - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39648 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gettort1.net - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39647 <-> ENABLED <-> BLACKLIST DNS request for known malware domain secpressnetwork.com - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39646 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alwaysonline.pw - Win.Trojan.ZeusPanda (blacklist.rules) * 1:39645 <-> ENABLED <-> SERVER-WEBAPP Drupal Coder Module insecure remote file deserialization attempt (server-webapp.rules) * 1:39644 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39643 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39642 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server credential disclosure attempt (server-webapp.rules) * 1:39641 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39640 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39639 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework directory traversal attempt (server-webapp.rules) * 1:39638 <-> DISABLED <-> MALWARE-TOOLS Win.Packer.ConfuserEx packed .NET executable attempt (malware-tools.rules) * 1:39637 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt (malware-other.rules) * 1:39636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Ranscam request.html response (malware-cnc.rules) * 3:39660 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules) * 3:39661 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0162 attack attempt (file-other.rules) * 3:39663 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules) * 3:39664 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0157 attack attempt (file-other.rules) * 3:39665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39667 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39668 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0158 attack attempt (file-other.rules) * 3:39671 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules) * 3:39672 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0156 attack attempt (file-other.rules) * 3:39673 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39674 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39675 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules) * 3:39676 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-CAN-0104 attack attempt (file-image.rules)
* 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules) * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:39241 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:38275 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit redirection attempt (exploit-kit.rules) * 3:35828 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules) * 3:35829 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0051 attack attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
