Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, protocol-icmp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40826 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript recursive calls memory corruption attempt (file-pdf.rules) * 1:40818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField text use after free attempt (file-flash.rules) * 1:40817 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway new_whitelist.php command injection attempt (server-webapp.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:40812 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Mauris outbound download attempt (malware-cnc.rules) * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:40815 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system administrator password reset attempt (server-webapp.rules) * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules) * 1:40827 <-> DISABLED <-> PUA-ADWARE MindSpark framework installer attempt (pua-adware.rules) * 1:40828 <-> DISABLED <-> INDICATOR-COMPROMISE Malicious script redirect attempt (indicator-compromise.rules) * 1:40819 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField text use after free attempt (file-flash.rules) * 1:40823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gendwndrop variant outbound connection (malware-cnc.rules) * 1:40824 <-> ENABLED <-> MALWARE-CNC Logbro variant outbound connection (malware-cnc.rules) * 1:40825 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript recursive calls memory corruption attempt (file-pdf.rules) * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 3:40820 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-CAN-0239 attack attempt (server-webapp.rules) * 3:40821 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-CAN-0241 attack attempt (server-webapp.rules) * 3:40822 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-CAN-0241 attack attempt (server-webapp.rules)
* 1:38842 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:38841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:402 <-> DISABLED <-> PROTOCOL-ICMP destination unreachable port unreachable packet detected (protocol-icmp.rules) * 1:40223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector external connection attempt (malware-cnc.rules) * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules) * 1:21080 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:19176 <-> DISABLED <-> SERVER-WEBAPP cookiejacking attempt (server-webapp.rules) * 1:19678 <-> DISABLED <-> SERVER-OTHER multiple products blacknurse ICMP denial of service attempt (server-other.rules) * 1:40385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt (browser-ie.rules) * 1:19177 <-> DISABLED <-> SERVER-WEBAPP cookiejacking attempt (server-webapp.rules) * 1:40386 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt (browser-ie.rules) * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules) * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules) * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules) * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules) * 3:40803 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules) * 3:40804 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40828 <-> DISABLED <-> INDICATOR-COMPROMISE Malicious script redirect attempt (indicator-compromise.rules) * 1:40827 <-> DISABLED <-> PUA-ADWARE MindSpark framework installer attempt (pua-adware.rules) * 1:40826 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript recursive calls memory corruption attempt (file-pdf.rules) * 1:40825 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript recursive calls memory corruption attempt (file-pdf.rules) * 1:40824 <-> ENABLED <-> MALWARE-CNC Logbro variant outbound connection (malware-cnc.rules) * 1:40823 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gendwndrop variant outbound connection (malware-cnc.rules) * 1:40819 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField text use after free attempt (file-flash.rules) * 1:40818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField text use after free attempt (file-flash.rules) * 1:40817 <-> DISABLED <-> SERVER-WEBAPP Symantec Web Gateway new_whitelist.php command injection attempt (server-webapp.rules) * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules) * 1:40815 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system administrator password reset attempt (server-webapp.rules) * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:40812 <-> ENABLED <-> MALWARE-CNC Rtf.Trojan.Mauris outbound download attempt (malware-cnc.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 3:40820 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-CAN-0239 attack attempt (server-webapp.rules) * 3:40821 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-CAN-0241 attack attempt (server-webapp.rules) * 3:40822 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-CAN-0241 attack attempt (server-webapp.rules)
* 1:39402 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules) * 1:24792 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Google page (blacklist.rules) * 1:21080 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules) * 1:24015 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Magania variant outbound connection (malware-cnc.rules) * 1:19177 <-> DISABLED <-> SERVER-WEBAPP cookiejacking attempt (server-webapp.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:40386 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt (browser-ie.rules) * 1:19176 <-> DISABLED <-> SERVER-WEBAPP cookiejacking attempt (server-webapp.rules) * 1:40385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt (browser-ie.rules) * 1:19678 <-> DISABLED <-> SERVER-OTHER multiple products blacknurse ICMP denial of service attempt (server-other.rules) * 1:38841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:38842 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:40223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector external connection attempt (malware-cnc.rules) * 1:402 <-> DISABLED <-> PROTOCOL-ICMP destination unreachable port unreachable packet detected (protocol-icmp.rules) * 1:39681 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:39680 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules) * 1:39403 <-> ENABLED <-> FILE-OTHER Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt (file-other.rules) * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules) * 3:40803 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules) * 3:40804 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0179 attack attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
