Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-10-04

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, malware-cnc, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-10-04 15:06:37 UTC

Snort Subscriber Rules Update

Date: 2016-10-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40331 <-> DISABLED <-> SERVER-WEBAPP JBoss default credential login attempt (server-webapp.rules)
 * 1:40324 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules)
 * 1:40320 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules)
 * 1:40318 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules)
 * 1:40321 <-> DISABLED <-> SERVER-APACHE Apache Tomcat credential disclosure attempt (server-apache.rules)
 * 1:40319 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules)
 * 1:40323 <-> ENABLED <-> SERVER-OTHER Adobe ColdFusion RDS admin bypass attempt (server-other.rules)
 * 1:40322 <-> DISABLED <-> SERVER-OTHER CA weblogic default credential login attempt (server-other.rules)
 * 1:40325 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion default credential login attempt (server-other.rules)
 * 1:40326 <-> DISABLED <-> SERVER-OTHER JBoss directory traversal attempt (server-other.rules)
 * 1:40327 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion fckeditor arbitrary file upload (server-other.rules)
 * 1:40328 <-> DISABLED <-> SERVER-OTHER Railo directory traversal attempt (server-other.rules)
 * 1:40329 <-> DISABLED <-> SERVER-OTHER Axis2 directory traversal attempt (server-other.rules)
 * 1:40330 <-> DISABLED <-> SERVER-OTHER JBoss directory traversal attempt (server-other.rules)
 * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
 * 1:40333 <-> DISABLED <-> PROTOCOL-SCADA Rockwell firmware upload attempt (protocol-scada.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40316 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules)
 * 1:40317 <-> DISABLED <-> SERVER-APACHE Apache Tomcat default credential login attempt (server-apache.rules)
 * 1:40332 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails Web Console remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules)
 * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules)
 * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection  (malware-cnc.rules)

2983