Talos has added and modified multiple rules in the blacklist, exploit-kit, malware-cnc, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41027 <-> DISABLED <-> OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt (os-linux.rules) * 1:41029 <-> DISABLED <-> SERVER-WEBAPP Nagios Core Configuration Manager SQL injection attempt (server-webapp.rules) * 1:41026 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard remote code execution attempt (server-webapp.rules) * 1:41030 <-> DISABLED <-> SERVER-WEBAPP Nagios Core Configuration Manager command injection attempt (server-webapp.rules) * 1:41028 <-> DISABLED <-> OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt (os-linux.rules)
* 1:5974 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - pop-up ads (pua-adware.rules) * 1:5972 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - ie autosearch hijack 1 (pua-adware.rules) * 1:5973 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - search engines hijack (pua-adware.rules) * 1:5970 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Feat2 Updater (blacklist.rules) * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules) * 1:5994 <-> DISABLED <-> PUA-ADWARE Hijacker getmirar outbound connection - click related button (pua-adware.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:5993 <-> DISABLED <-> PUA-ADWARE Hijacker getmirar outbound connection - track activity (pua-adware.rules) * 1:6237 <-> DISABLED <-> PUA-ADWARE Adware lop runtime detection - check update request (pua-adware.rules) * 1:27256 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware (malware-cnc.rules) * 1:6184 <-> DISABLED <-> PUA-ADWARE Adware 180Search assistant runtime detection - config upload (pua-adware.rules) * 1:5988 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ZC-Bridge (blacklist.rules) * 1:5992 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Mirar_KeywordContentHijacker (blacklist.rules) * 1:13932 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - opera (blacklist.rules) * 1:6233 <-> DISABLED <-> PUA-ADWARE Adware mirar runtime detection - delayed (pua-adware.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41026 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard remote code execution attempt (server-webapp.rules) * 1:41027 <-> DISABLED <-> OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt (os-linux.rules) * 1:41028 <-> DISABLED <-> OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt (os-linux.rules) * 1:41029 <-> DISABLED <-> SERVER-WEBAPP Nagios Core Configuration Manager SQL injection attempt (server-webapp.rules) * 1:41030 <-> DISABLED <-> SERVER-WEBAPP Nagios Core Configuration Manager command injection attempt (server-webapp.rules)
* 1:6184 <-> DISABLED <-> PUA-ADWARE Adware 180Search assistant runtime detection - config upload (pua-adware.rules) * 1:5973 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - search engines hijack (pua-adware.rules) * 1:5974 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - pop-up ads (pua-adware.rules) * 1:5970 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Feat2 Updater (blacklist.rules) * 1:5972 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - ie autosearch hijack 1 (pua-adware.rules) * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules) * 1:27256 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware (malware-cnc.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:5988 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ZC-Bridge (blacklist.rules) * 1:5992 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Mirar_KeywordContentHijacker (blacklist.rules) * 1:5994 <-> DISABLED <-> PUA-ADWARE Hijacker getmirar outbound connection - click related button (pua-adware.rules) * 1:5993 <-> DISABLED <-> PUA-ADWARE Hijacker getmirar outbound connection - track activity (pua-adware.rules) * 1:6237 <-> DISABLED <-> PUA-ADWARE Adware lop runtime detection - check update request (pua-adware.rules) * 1:6233 <-> DISABLED <-> PUA-ADWARE Adware mirar runtime detection - delayed (pua-adware.rules) * 1:13932 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - opera (blacklist.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41030 <-> DISABLED <-> SERVER-WEBAPP Nagios Core Configuration Manager command injection attempt (server-webapp.rules) * 1:41029 <-> DISABLED <-> SERVER-WEBAPP Nagios Core Configuration Manager SQL injection attempt (server-webapp.rules) * 1:41028 <-> DISABLED <-> OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt (os-linux.rules) * 1:41027 <-> DISABLED <-> OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt (os-linux.rules) * 1:41026 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard remote code execution attempt (server-webapp.rules)
* 1:6237 <-> DISABLED <-> PUA-ADWARE Adware lop runtime detection - check update request (pua-adware.rules) * 1:6233 <-> DISABLED <-> PUA-ADWARE Adware mirar runtime detection - delayed (pua-adware.rules) * 1:6184 <-> DISABLED <-> PUA-ADWARE Adware 180Search assistant runtime detection - config upload (pua-adware.rules) * 1:5994 <-> DISABLED <-> PUA-ADWARE Hijacker getmirar outbound connection - click related button (pua-adware.rules) * 1:5993 <-> DISABLED <-> PUA-ADWARE Hijacker getmirar outbound connection - track activity (pua-adware.rules) * 1:5992 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Mirar_KeywordContentHijacker (blacklist.rules) * 1:5988 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - ZC-Bridge (blacklist.rules) * 1:5974 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - pop-up ads (pua-adware.rules) * 1:5973 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - search engines hijack (pua-adware.rules) * 1:5972 <-> DISABLED <-> PUA-ADWARE hijacker smart finder detection - ie autosearch hijack 1 (pua-adware.rules) * 1:5970 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - Feat2 Updater (blacklist.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:26950 <-> ENABLED <-> EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt (exploit-kit.rules) * 1:27256 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware (malware-cnc.rules) * 1:13932 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - opera (blacklist.rules)