Talos has added and modified multiple rules in the blacklist, file-image, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used with HTTP 1.0 evasion attempt. (indicator-obfuscation.rules) * 1:40243 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40241 <-> DISABLED <-> SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow (server-other.rules) * 1:40247 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules) * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40245 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40249 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader external connection attempt (malware-cnc.rules) * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection attempt (malware-cnc.rules) * 1:40251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Perseus (blacklist.rules) * 1:40244 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules)
* 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules) * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40249 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader external connection attempt (malware-cnc.rules) * 1:40247 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40243 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40241 <-> DISABLED <-> SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow (server-other.rules) * 1:40244 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40245 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules) * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection attempt (malware-cnc.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used with HTTP 1.0 evasion attempt. (indicator-obfuscation.rules) * 1:40251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Perseus (blacklist.rules)
* 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules) * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection attempt (malware-cnc.rules) * 1:40251 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Perseus (blacklist.rules) * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used with HTTP 1.0 evasion attempt. (indicator-obfuscation.rules) * 1:40249 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader external connection attempt (malware-cnc.rules) * 1:40248 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40247 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40246 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40245 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40244 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40243 <-> DISABLED <-> FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt (file-image.rules) * 1:40242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules) * 1:40241 <-> DISABLED <-> SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow (server-other.rules)
* 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules) * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
