Talos has added and modified multiple rules in the file-pdf, indicator-compromise, malware-cnc, os-linux, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40571 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules) * 1:40572 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules) * 1:40570 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules) * 1:40569 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules) * 1:40567 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:40568 <-> DISABLED <-> INDICATOR-COMPROMISE wsf inside zip potential malicious file download attempt (indicator-compromise.rules) * 1:40565 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40566 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40563 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40564 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection attempt (malware-cnc.rules) * 1:40560 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules) * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules) * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules) * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules) * 1:40549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection (malware-cnc.rules) * 1:40551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt (malware-cnc.rules) * 1:40555 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules) * 1:40556 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules) * 1:40557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules) * 1:40561 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40562 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40579 <-> ENABLED <-> SERVER-OTHER ISC BIND 9 DNS query overly long name denial of service attempt (server-other.rules) * 1:40577 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules) * 1:40550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt (malware-cnc.rules) * 1:40578 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules) * 1:40576 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules) * 1:40575 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules) * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules) * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules) * 3:40552 <-> ENABLED <-> SERVER-OTHER Cisco ESA lzw attachment parsing denial of service attempt (server-other.rules) * 3:40553 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules) * 3:40554 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules) * 3:40580 <-> ENABLED <-> POLICY-OTHER Cisco Universal Media Services potentially unauthorized API access detected (policy-other.rules)
* 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules) * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules) * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules) * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules) * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules) * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40579 <-> ENABLED <-> SERVER-OTHER ISC BIND 9 DNS query overly long name denial of service attempt (server-other.rules) * 1:40578 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules) * 1:40577 <-> ENABLED <-> FILE-PDF Adobe Reader XFA remerge JavaScript use after free attempt (file-pdf.rules) * 1:40576 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules) * 1:40575 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA excelGroup memory corruption attempt (file-pdf.rules) * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules) * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules) * 1:40572 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules) * 1:40571 <-> ENABLED <-> FILE-PDF Adobe Reader corrupt bookmark use after free attempt (file-pdf.rules) * 1:40570 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules) * 1:40569 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA relayoutPageArea memory corruption attempt (file-pdf.rules) * 1:40568 <-> DISABLED <-> INDICATOR-COMPROMISE wsf inside zip potential malicious file download attempt (indicator-compromise.rules) * 1:40567 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:40566 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40565 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40564 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40563 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40562 <-> DISABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40561 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40560 <-> ENABLED <-> OS-LINUX Linux kernel madvise race condition attempt (os-linux.rules) * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection attempt (malware-cnc.rules) * 1:40558 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules) * 1:40557 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed object stream memory corruption attempt (file-pdf.rules) * 1:40556 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules) * 1:40555 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AHCACHE.SYS remote denial of service attempt (os-windows.rules) * 1:40551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt (malware-cnc.rules) * 1:40550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt (malware-cnc.rules) * 1:40549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection (malware-cnc.rules) * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules) * 1:40547 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules) * 1:40546 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript API privileged function bypass attempt (file-pdf.rules) * 3:40552 <-> ENABLED <-> SERVER-OTHER Cisco ESA lzw attachment parsing denial of service attempt (server-other.rules) * 3:40553 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules) * 3:40554 <-> ENABLED <-> SERVER-OTHER Cisco ESA uuencode attachment processing exception denial of service attempt (server-other.rules) * 3:40580 <-> ENABLED <-> POLICY-OTHER Cisco Universal Media Services potentially unauthorized API access detected (policy-other.rules)
* 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules) * 1:38966 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules) * 1:40500 <-> ENABLED <-> MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection (malware-cnc.rules) * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules) * 1:39851 <-> ENABLED <-> INDICATOR-COMPROMISE Connection to malware sinkhole - CERT.PL (indicator-compromise.rules) * 1:38967 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid NumberComponents out of bounds read attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
