Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40800 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Crypton (blacklist.rules) * 1:40799 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules) * 1:40798 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules) * 1:40797 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules) * 1:40796 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules) * 1:40795 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules) * 1:40788 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules) * 1:40787 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules) * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40784 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules) * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules) * 1:40782 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Venik (blacklist.rules) * 1:40781 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules) * 1:40780 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules) * 3:40804 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules) * 3:40810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40789 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules) * 3:40790 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules) * 3:40791 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40792 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40793 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40794 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40801 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules) * 3:40809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40802 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules) * 3:40803 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules) * 3:40808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules)
* 1:34757 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules) * 1:34758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules) * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:40170 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules) * 1:40171 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules) * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET array index out of bounds attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40785 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40782 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Venik (blacklist.rules) * 1:40783 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 GetSecurityKeys information disclosure attempt (server-webapp.rules) * 1:40780 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules) * 1:40781 <-> ENABLED <-> FILE-FLASH Adobe Flash Player LoadVars use-after-free attempt (file-flash.rules) * 1:40788 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules) * 1:40796 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules) * 1:40787 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules) * 1:40799 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules) * 1:40795 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules) * 1:40798 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free class extending obfuscation attempt (file-flash.rules) * 1:40797 <-> DISABLED <-> MALWARE-CNC Nesxlh variant outbound connection (malware-cnc.rules) * 1:40800 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Crypton (blacklist.rules) * 1:40786 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules) * 1:40784 <-> DISABLED <-> SERVER-WEBAPP ZyXEL TR-064 SetNTPServers command injection attempt (server-webapp.rules) * 3:40804 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules) * 3:40802 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules) * 3:40793 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40807 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40791 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40801 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0177 attack attempt (file-other.rules) * 3:40790 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules) * 3:40810 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40806 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40808 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40809 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40794 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40792 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0176 attack attempt (file-other.rules) * 3:40805 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0178 attack attempt (file-other.rules) * 3:40803 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules) * 3:40789 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
* 1:34757 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules) * 1:34758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CDXTFilterNode object remote code execution attempt (browser-ie.rules) * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:39293 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39294 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:39295 <-> DISABLED <-> FILE-FLASH Adobe Flash Player apphelp.dll dll-load exploit attempt (file-flash.rules) * 1:39296 <-> DISABLED <-> FILE-FLASH Adobe Flash Player dbghelp.dll dll-load exploit attempt (file-flash.rules) * 1:40170 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules) * 1:40171 <-> DISABLED <-> FILE-FLASH Adobe Standalone Flash Player use after free attempt (file-flash.rules) * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET array index out of bounds attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
