Talos has added and modified multiple rules in the blacklist, file-flash, file-image, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39730 <-> ENABLED <-> MALWARE-CNC Win.Adware.Xiazai outbound connection attempt (malware-cnc.rules) * 1:39715 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39733 <-> DISABLED <-> SERVER-WEBAPP InBoundio Marketing for Wordpress plugin PHP file upload attempt (server-webapp.rules) * 1:39723 <-> ENABLED <-> BLACKLIST DNS request for known malware domain local.it-desktop.com - pisloader (blacklist.rules) * 1:39732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39728 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules) * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39724 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hi.getgo2.com - pisloader (blacklist.rules) * 1:39719 <-> ENABLED <-> BLACKLIST DNS request for known malware domain globalprint-us.com - pisloader (blacklist.rules) * 1:39713 <-> ENABLED <-> MALWARE-OTHER MKVIS outbound communication attempt (malware-other.rules) * 1:39714 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39717 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39718 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.logitech-usa.com - pisloader (blacklist.rules) * 1:39720 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intranetwabcam.com - pisloader (blacklist.rules) * 1:39721 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login.access-mail.com - pisloader (blacklist.rules) * 1:39722 <-> ENABLED <-> BLACKLIST DNS request for known malware domain glb.it-desktop.com - pisloader (blacklist.rules) * 1:39683 <-> ENABLED <-> FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt (file-image.rules) * 1:39716 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39727 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules) * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39684 <-> ENABLED <-> FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt (file-image.rules) * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while image expected (indicator-compromise.rules)
* 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter outbound connection (malware-cnc.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules) * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules) * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39727 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules) * 1:39728 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules) * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39716 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39684 <-> ENABLED <-> FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt (file-image.rules) * 1:39714 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39715 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39717 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39718 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.logitech-usa.com - pisloader (blacklist.rules) * 1:39719 <-> ENABLED <-> BLACKLIST DNS request for known malware domain globalprint-us.com - pisloader (blacklist.rules) * 1:39720 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intranetwabcam.com - pisloader (blacklist.rules) * 1:39721 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login.access-mail.com - pisloader (blacklist.rules) * 1:39722 <-> ENABLED <-> BLACKLIST DNS request for known malware domain glb.it-desktop.com - pisloader (blacklist.rules) * 1:39723 <-> ENABLED <-> BLACKLIST DNS request for known malware domain local.it-desktop.com - pisloader (blacklist.rules) * 1:39724 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hi.getgo2.com - pisloader (blacklist.rules) * 1:39713 <-> ENABLED <-> MALWARE-OTHER MKVIS outbound communication attempt (malware-other.rules) * 1:39733 <-> DISABLED <-> SERVER-WEBAPP InBoundio Marketing for Wordpress plugin PHP file upload attempt (server-webapp.rules) * 1:39732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39730 <-> ENABLED <-> MALWARE-CNC Win.Adware.Xiazai outbound connection attempt (malware-cnc.rules) * 1:39683 <-> ENABLED <-> FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt (file-image.rules) * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while image expected (indicator-compromise.rules)
* 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules) * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules) * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39733 <-> DISABLED <-> SERVER-WEBAPP InBoundio Marketing for Wordpress plugin PHP file upload attempt (server-webapp.rules) * 1:39732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed CID identity-H font file out of bounds read attempt (file-pdf.rules) * 1:39730 <-> ENABLED <-> MALWARE-CNC Win.Adware.Xiazai outbound connection attempt (malware-cnc.rules) * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while image expected (indicator-compromise.rules) * 1:39728 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules) * 1:39727 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Rectangle constructor use after free attempt (file-flash.rules) * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39724 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hi.getgo2.com - pisloader (blacklist.rules) * 1:39723 <-> ENABLED <-> BLACKLIST DNS request for known malware domain local.it-desktop.com - pisloader (blacklist.rules) * 1:39722 <-> ENABLED <-> BLACKLIST DNS request for known malware domain glb.it-desktop.com - pisloader (blacklist.rules) * 1:39721 <-> ENABLED <-> BLACKLIST DNS request for known malware domain login.access-mail.com - pisloader (blacklist.rules) * 1:39720 <-> ENABLED <-> BLACKLIST DNS request for known malware domain intranetwabcam.com - pisloader (blacklist.rules) * 1:39719 <-> ENABLED <-> BLACKLIST DNS request for known malware domain globalprint-us.com - pisloader (blacklist.rules) * 1:39718 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ns1.logitech-usa.com - pisloader (blacklist.rules) * 1:39717 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39716 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39715 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39714 <-> DISABLED <-> SERVER-WEBAPP phpFileManager command injection attempt (server-webapp.rules) * 1:39713 <-> ENABLED <-> MALWARE-OTHER MKVIS outbound communication attempt (malware-other.rules) * 1:39684 <-> ENABLED <-> FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt (file-image.rules) * 1:39683 <-> ENABLED <-> FILE-IMAGE Apple Core Graphics BMP img_decode_read memory corruption attempt (file-image.rules)
* 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovter outbound connection (malware-cnc.rules) * 1:39662 <-> DISABLED <-> SERVER-WEBAPP PHP phar extension remote code execution attempt (server-webapp.rules) * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules) * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
