Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41091 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt (protocol-scada.rules) * 1:41090 <-> DISABLED <-> SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt (server-other.rules) * 1:41087 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules) * 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41086 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules) * 1:41083 <-> ENABLED <-> BLACKLIST suspicious .bit dns query (blacklist.rules) * 1:41088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt (malware-cnc.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:41089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ostap out bound communication attempt (malware-cnc.rules) * 3:41085 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0235 attack attempt (server-webapp.rules) * 3:41093 <-> ENABLED <-> POLICY-OTHER Docker management traffic detected (policy-other.rules)
* 1:36719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules) * 1:36718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules) * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules) * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules) * 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41091 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt (protocol-scada.rules) * 1:41089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ostap out bound communication attempt (malware-cnc.rules) * 1:41090 <-> DISABLED <-> SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt (server-other.rules) * 1:41083 <-> ENABLED <-> BLACKLIST suspicious .bit dns query (blacklist.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:41088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt (malware-cnc.rules) * 1:41087 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules) * 1:41086 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules) * 3:41093 <-> ENABLED <-> POLICY-OTHER Docker management traffic detected (policy-other.rules) * 3:41085 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0235 attack attempt (server-webapp.rules)
* 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules) * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules) * 1:36719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules) * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules) * 1:36718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41092 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected (exploit-kit.rules) * 1:41091 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Controllogix Crash Ethernet attempt (protocol-scada.rules) * 1:41090 <-> DISABLED <-> SERVER-OTHER Rockwell Factorytalk RNADiagReceiver denial of service attempt (server-other.rules) * 1:41089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ostap out bound communication attempt (malware-cnc.rules) * 1:41088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt (malware-cnc.rules) * 1:41087 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules) * 1:41086 <-> ENABLED <-> SERVER-WEBAPP Oracle Opera Property Management System ProcessInfo command injection attempt (server-webapp.rules) * 1:41084 <-> DISABLED <-> EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected (exploit-kit.rules) * 1:41083 <-> ENABLED <-> BLACKLIST suspicious .bit dns query (blacklist.rules) * 3:41085 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0235 attack attempt (server-webapp.rules) * 3:41093 <-> ENABLED <-> POLICY-OTHER Docker management traffic detected (policy-other.rules)
* 1:12058 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules) * 1:36719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules) * 1:40998 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules) * 1:40999 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection proxyType invalid value out of bounds read attempt (file-flash.rules) * 1:36718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k kernel memory information disclosure attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
