Talos has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-flash, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40501 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules) * 1:40502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules) * 1:40497 <-> ENABLED <-> SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt (server-webapp.rules) * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules) * 1:40495 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules) * 1:40496 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules) * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium PHP file upload attempt (server-webapp.rules) * 1:40492 <-> DISABLED <-> PUA-ADWARE Win.Adware.DownloadManager outbound connection (pua-adware.rules) * 3:40498 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA Crypto CA Server out of bounds read attempt (server-webapp.rules) * 3:40499 <-> ENABLED <-> SERVER-OTHER Cisco ASA NBSTAT response stack buffer overflow attempt (server-other.rules) * 3:40504 <-> ENABLED <-> SERVER-OTHER Cisco Snort HTTP chunked transfer encoding processing denial of service attempt (server-other.rules)
* 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules) * 1:23910 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23911 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules) * 1:23913 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules) * 1:23914 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23915 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23916 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23917 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23918 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23919 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23920 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23921 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23922 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23923 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23924 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23925 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23926 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23927 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23928 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23929 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:39362 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:31299 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules) * 1:23930 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules) * 1:28797 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt (exploit-kit.rules) * 1:40404 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules) * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules) * 1:23931 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:40405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules) * 1:23932 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:28796 <-> ENABLED <-> EXPLOIT-KIT iFRAMEr successful cnt.php redirection (exploit-kit.rules) * 1:23933 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules) * 1:23912 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules) * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules) * 1:40081 <-> DISABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:23905 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:23906 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23908 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23909 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23907 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40516 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules) * 1:40515 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed unicode font name code execution attempt (file-pdf.rules) * 1:40514 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40513 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40512 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40511 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40510 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40509 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40508 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40507 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40506 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40505 <-> ENABLED <-> FILE-PDF Adobe Reader XSLT Transform use after free attempt (file-pdf.rules) * 1:40503 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules) * 1:40502 <-> ENABLED <-> FILE-FLASH Adobe Flash Player QOSProvider use-after-free attempt (file-flash.rules) * 1:40501 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules) * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules) * 1:40497 <-> ENABLED <-> SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt (server-webapp.rules) * 1:40496 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules) * 1:40495 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player PSDK FlashRuntime mediaplayer pause attempt (file-flash.rules) * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium PHP file upload attempt (server-webapp.rules) * 1:40493 <-> DISABLED <-> SERVER-WEBAPP Ektron ServerControlWS.asmx XSL transform code injection attempt (server-webapp.rules) * 1:40492 <-> DISABLED <-> PUA-ADWARE Win.Adware.DownloadManager outbound connection (pua-adware.rules) * 3:40498 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA Crypto CA Server out of bounds read attempt (server-webapp.rules) * 3:40499 <-> ENABLED <-> SERVER-OTHER Cisco ASA NBSTAT response stack buffer overflow attempt (server-other.rules) * 3:40504 <-> ENABLED <-> SERVER-OTHER Cisco Snort HTTP chunked transfer encoding processing denial of service attempt (server-other.rules)
* 1:23908 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23906 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23114 <-> DISABLED <-> INDICATOR-OBFUSCATION GIF header with PHP tags - likely malicious (indicator-obfuscation.rules) * 1:23905 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:21108 <-> DISABLED <-> EXPLOIT-KIT unknown exploit kit obfuscated landing page (exploit-kit.rules) * 1:23113 <-> DISABLED <-> INDICATOR-OBFUSCATION eval gzinflate base64_decode call - likely malicious (indicator-obfuscation.rules) * 1:16301 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules) * 1:19551 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name (malware-other.rules) * 1:40405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules) * 1:40404 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules) * 1:40081 <-> DISABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules) * 1:39867 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .tk dns query (indicator-compromise.rules) * 1:39866 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .ml dns query (indicator-compromise.rules) * 1:39362 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Batlopma (blacklist.rules) * 1:31299 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules) * 1:29213 <-> ENABLED <-> INDICATOR-OBFUSCATION potential math library debugging (indicator-obfuscation.rules) * 1:28797 <-> ENABLED <-> EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt (exploit-kit.rules) * 1:28796 <-> ENABLED <-> EXPLOIT-KIT iFRAMEr successful cnt.php redirection (exploit-kit.rules) * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules) * 1:28071 <-> DISABLED <-> APP-DETECT 360.cn SafeGuard local HTTP management console access attempt (app-detect.rules) * 1:28070 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com (app-detect.rules) * 1:28069 <-> DISABLED <-> APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn (app-detect.rules) * 1:28068 <-> DISABLED <-> APP-DETECT 360.cn Safeguard runtime outbound communication (app-detect.rules) * 1:28039 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .pw dns query (indicator-compromise.rules) * 1:23933 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23932 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23931 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23930 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23929 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23928 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23927 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23926 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23925 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23924 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23923 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23922 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23921 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23920 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23919 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23918 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23917 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23916 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23915 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23914 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23913 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23911 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23912 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23910 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23907 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules) * 1:23909 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.DistTrack propagation - execute dropped file (indicator-compromise.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
