Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-office, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41119 <-> DISABLED <-> SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt (server-webapp.rules) * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules) * 1:41136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41123 <-> ENABLED <-> BLACKLIST DNS request for known malware domain efax.pfdregistry.net (blacklist.rules) * 1:41124 <-> ENABLED <-> BLACKLIST DNS request for known malware domain insta.reduct.ru (blacklist.rules) * 1:41125 <-> ENABLED <-> BLACKLIST DNS request for known malware domain littjohnwilhap.ru (blacklist.rules) * 1:41126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua (blacklist.rules) * 1:41127 <-> ENABLED <-> BLACKLIST DNS request for known malware domain one2shoppee.com (blacklist.rules) * 1:41128 <-> ENABLED <-> BLACKLIST DNS request for known malware domain private.directinvesting.com (blacklist.rules) * 1:41129 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ritsoperrol.ru (blacklist.rules) * 1:41130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wilcarobbe.com (blacklist.rules) * 1:41131 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.cderlearn.com (blacklist.rules) * 1:41132 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules) * 1:41133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
* 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules) * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules) * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules) * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type image containing Portable Executable data (indicator-compromise.rules) * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:26851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wilcarobbe.com (blacklist.rules) * 1:41132 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules) * 1:41129 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ritsoperrol.ru (blacklist.rules) * 1:41128 <-> ENABLED <-> BLACKLIST DNS request for known malware domain private.directinvesting.com (blacklist.rules) * 1:41127 <-> ENABLED <-> BLACKLIST DNS request for known malware domain one2shoppee.com (blacklist.rules) * 1:41125 <-> ENABLED <-> BLACKLIST DNS request for known malware domain littjohnwilhap.ru (blacklist.rules) * 1:41126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua (blacklist.rules) * 1:41123 <-> ENABLED <-> BLACKLIST DNS request for known malware domain efax.pfdregistry.net (blacklist.rules) * 1:41124 <-> ENABLED <-> BLACKLIST DNS request for known malware domain insta.reduct.ru (blacklist.rules) * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41119 <-> DISABLED <-> SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt (server-webapp.rules) * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules) * 1:41131 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.cderlearn.com (blacklist.rules) * 1:41135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
* 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type image containing Portable Executable data (indicator-compromise.rules) * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules) * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:26851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules) * 1:41132 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules) * 1:41131 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.cderlearn.com (blacklist.rules) * 1:41130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wilcarobbe.com (blacklist.rules) * 1:41129 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ritsoperrol.ru (blacklist.rules) * 1:41128 <-> ENABLED <-> BLACKLIST DNS request for known malware domain private.directinvesting.com (blacklist.rules) * 1:41127 <-> ENABLED <-> BLACKLIST DNS request for known malware domain one2shoppee.com (blacklist.rules) * 1:41126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua (blacklist.rules) * 1:41125 <-> ENABLED <-> BLACKLIST DNS request for known malware domain littjohnwilhap.ru (blacklist.rules) * 1:41124 <-> ENABLED <-> BLACKLIST DNS request for known malware domain insta.reduct.ru (blacklist.rules) * 1:41123 <-> ENABLED <-> BLACKLIST DNS request for known malware domain efax.pfdregistry.net (blacklist.rules) * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules) * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41119 <-> DISABLED <-> SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt (server-webapp.rules)
* 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules) * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type image containing Portable Executable data (indicator-compromise.rules) * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:26851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules) * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules) * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules) * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
