Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-pdf, malware-cnc, malware-other, os-linux, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39906 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules) * 1:39904 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules) * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules) * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39890 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules) * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39889 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules) * 1:39886 <-> ENABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.Prepscram (blacklist.rules) * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules) * 1:39892 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules) * 1:39907 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules) * 1:39896 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access (browser-plugins.rules) * 1:39891 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules) * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules) * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules) * 1:39905 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules) * 1:39895 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access (browser-plugins.rules) * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules) * 3:39898 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center pjb.cgi privilege escalation attempt (server-webapp.rules) * 3:39897 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center sajaxintf.cgi command injection attempt (server-webapp.rules)
* 1:24644 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24646 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24691 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24645 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24643 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:24689 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules) * 1:24690 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24692 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39895 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access (browser-plugins.rules) * 1:39892 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules) * 1:39886 <-> ENABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.Prepscram (blacklist.rules) * 1:39891 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules) * 1:39890 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules) * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules) * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules) * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules) * 1:39896 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access (browser-plugins.rules) * 1:39889 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules) * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules) * 1:39904 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules) * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules) * 1:39905 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules) * 1:39907 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules) * 1:39906 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules) * 3:39897 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center sajaxintf.cgi command injection attempt (server-webapp.rules) * 3:39898 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center pjb.cgi privilege escalation attempt (server-webapp.rules)
* 1:24690 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24645 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24646 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24644 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24689 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:24691 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24692 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules) * 1:24643 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39907 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules) * 1:39906 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules) * 1:39905 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt (malware-other.rules) * 1:39904 <-> DISABLED <-> MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt (malware-other.rules) * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules) * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39896 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET Extension ActiveX function call access (browser-plugins.rules) * 1:39895 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET exetension ActiveX clsid access (browser-plugins.rules) * 1:39894 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules) * 1:39893 <-> ENABLED <-> OS-LINUX Linux Kernel USBIP out of bounds write attempt (os-linux.rules) * 1:39892 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules) * 1:39891 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SCADA Expert ClearSCADA ActiveX clsid access attempt (browser-plugins.rules) * 1:39890 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules) * 1:39889 <-> DISABLED <-> FILE-PDF Adobe Acrobat invalid embedded font memory corruption attempt (file-pdf.rules) * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules) * 1:39887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toga variant outbound connection (malware-cnc.rules) * 1:39886 <-> ENABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.Prepscram (blacklist.rules) * 3:39897 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center sajaxintf.cgi command injection attempt (server-webapp.rules) * 3:39898 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePOWER Management Center pjb.cgi privilege escalation attempt (server-webapp.rules)
* 1:24645 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24644 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24646 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24690 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24689 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:24691 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:24692 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX clsid access attempt (browser-plugins.rules) * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules) * 1:24643 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 3:39885 <-> ENABLED <-> PROTOCOL-SNMP Cisco ASA SNMP OID parsing stack buffer overflow attempt (protocol-snmp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
