Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40182 <-> DISABLED <-> SERVER-WEBAPP AirOS authentication bypass attempt (server-webapp.rules) * 1:40217 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - F.5.E.C (blacklist.rules) * 1:40216 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.VBInject (blacklist.rules) * 1:40213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkShell external connection attempt (malware-cnc.rules) * 1:40212 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Darkshell (blacklist.rules) * 1:40214 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules) * 1:40215 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules) * 1:40186 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40187 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40188 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules) * 1:40184 <-> DISABLED <-> EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt (exploit-kit.rules) * 1:40189 <-> DISABLED <-> POLICY-OTHER SSH weak 3DES cipher suite use attempt (policy-other.rules) * 1:40190 <-> DISABLED <-> POLICY-OTHER SSH weak blowfish cipher suite use attempt (policy-other.rules) * 1:40191 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40192 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40193 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40196 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40197 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40198 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40199 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40202 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40200 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drolnux variant outbound connection (malware-cnc.rules) * 1:40204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected (malware-cnc.rules) * 1:40183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules) * 1:40205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40206 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40208 <-> DISABLED <-> PUA-ADWARE Win.Adware.Penzievs outbound connection attempt (pua-adware.rules) * 1:40207 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40211 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound connection (pua-adware.rules) * 1:40210 <-> DISABLED <-> BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap (blacklist.rules) * 1:40201 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulta external connection attempt (malware-cnc.rules)
* 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules) * 1:39766 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected (malware-other.rules) * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:37734 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules) * 1:37736 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules) * 1:16600 <-> DISABLED <-> MALWARE-CNC Otlard Win.Trojan.activity (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40210 <-> DISABLED <-> BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap (blacklist.rules) * 1:40193 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40182 <-> DISABLED <-> SERVER-WEBAPP AirOS authentication bypass attempt (server-webapp.rules) * 1:40183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules) * 1:40184 <-> DISABLED <-> EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt (exploit-kit.rules) * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules) * 1:40186 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40187 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40188 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40189 <-> DISABLED <-> POLICY-OTHER SSH weak 3DES cipher suite use attempt (policy-other.rules) * 1:40190 <-> DISABLED <-> POLICY-OTHER SSH weak blowfish cipher suite use attempt (policy-other.rules) * 1:40191 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40192 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40196 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40197 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40198 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40199 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40200 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40201 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40202 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drolnux variant outbound connection (malware-cnc.rules) * 1:40204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected (malware-cnc.rules) * 1:40205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40206 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40207 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40208 <-> DISABLED <-> PUA-ADWARE Win.Adware.Penzievs outbound connection attempt (pua-adware.rules) * 1:40217 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - F.5.E.C (blacklist.rules) * 1:40216 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.VBInject (blacklist.rules) * 1:40215 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules) * 1:40214 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules) * 1:40213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkShell external connection attempt (malware-cnc.rules) * 1:40211 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound connection (pua-adware.rules) * 1:40212 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Darkshell (blacklist.rules) * 1:40209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulta external connection attempt (malware-cnc.rules)
* 1:16600 <-> DISABLED <-> MALWARE-CNC Otlard Win.Trojan.activity (malware-cnc.rules) * 1:37734 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules) * 1:37736 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules) * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules) * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:39766 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40217 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - F.5.E.C (blacklist.rules) * 1:40216 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.VBInject (blacklist.rules) * 1:40215 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules) * 1:40214 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Ogimant outbound connection detected (malware-cnc.rules) * 1:40213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkShell external connection attempt (malware-cnc.rules) * 1:40212 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Darkshell (blacklist.rules) * 1:40211 <-> DISABLED <-> PUA-ADWARE Win.Adware.EoRezo outbound connection (pua-adware.rules) * 1:40210 <-> DISABLED <-> BLACKLIST DNS request from known malware domain g5wcesdfjzne7255.onion.to - Osx.Trojan.keydnap (blacklist.rules) * 1:40209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bulta external connection attempt (malware-cnc.rules) * 1:40208 <-> DISABLED <-> PUA-ADWARE Win.Adware.Penzievs outbound connection attempt (pua-adware.rules) * 1:40207 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40206 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40205 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Comisproc outbound connection detected (malware-cnc.rules) * 1:40204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected (malware-cnc.rules) * 1:40203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Drolnux variant outbound connection (malware-cnc.rules) * 1:40202 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40201 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40200 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40199 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40198 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40197 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40196 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40195 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40194 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40193 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40192 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40191 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Swabfex download attempt (malware-other.rules) * 1:40190 <-> DISABLED <-> POLICY-OTHER SSH weak blowfish cipher suite use attempt (policy-other.rules) * 1:40189 <-> DISABLED <-> POLICY-OTHER SSH weak 3DES cipher suite use attempt (policy-other.rules) * 1:40188 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40187 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40186 <-> DISABLED <-> POLICY-OTHER SSL weak 3DES cipher suite use attempt (policy-other.rules) * 1:40185 <-> DISABLED <-> SERVER-WEBAPP WebNMS framework server .jsp file retrieval attempt (server-webapp.rules) * 1:40184 <-> DISABLED <-> EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt (exploit-kit.rules) * 1:40183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Malex variant outbound connection (malware-cnc.rules) * 1:40182 <-> DISABLED <-> SERVER-WEBAPP AirOS authentication bypass attempt (server-webapp.rules)
* 1:16600 <-> DISABLED <-> MALWARE-CNC Otlard Win.Trojan.activity (malware-cnc.rules) * 1:37734 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules) * 1:37736 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Point object integer overflow attempt (file-flash.rules) * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules) * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:39766 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected (malware-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
