Talos has added and modified multiple rules in the file-flash, file-office, file-pdf, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41711 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection (malware-cnc.rules) * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 1:41713 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke installation attempt detected (server-webapp.rules) * 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41701 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DSGetNCChanges attempt (policy-other.rules) * 1:41702 <-> DISABLED <-> MALWARE-CNC Win.Adware.Winwrapper outbound connection (malware-cnc.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41705 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid package script information use after free attempt (file-flash.rules) * 1:41706 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid package script information use after free attempt (file-flash.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:41708 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom valueOf function attempt (file-flash.rules) * 1:41709 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom valueOf function attempt (file-flash.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-office.rules) * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-office.rules)
* 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:41150 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules) * 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:41151 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules) * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules) * 3:41197 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 TALOS-2017-0289 attack attempt (file-pdf.rules) * 3:41196 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 TALOS-2017-0289 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41701 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DSGetNCChanges attempt (policy-other.rules) * 1:41702 <-> DISABLED <-> MALWARE-CNC Win.Adware.Winwrapper outbound connection (malware-cnc.rules) * 1:41705 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid package script information use after free attempt (file-flash.rules) * 1:41706 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid package script information use after free attempt (file-flash.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:41708 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom valueOf function attempt (file-flash.rules) * 1:41709 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom valueOf function attempt (file-flash.rules) * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:41713 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke installation attempt detected (server-webapp.rules) * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41711 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection (malware-cnc.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-office.rules) * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-office.rules)
* 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:41150 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules) * 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:41151 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules) * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 3:41196 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 TALOS-2017-0289 attack attempt (file-pdf.rules) * 3:41197 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 TALOS-2017-0289 attack attempt (file-pdf.rules) * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41713 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke installation attempt detected (server-webapp.rules) * 1:41712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini backdoor file download request (malware-cnc.rules) * 1:41711 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection (malware-cnc.rules) * 1:41710 <-> DISABLED <-> INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS (indicator-compromise.rules) * 1:41709 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom valueOf function attempt (file-flash.rules) * 1:41708 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom valueOf function attempt (file-flash.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:41706 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid package script information use after free attempt (file-flash.rules) * 1:41705 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid package script information use after free attempt (file-flash.rules) * 1:41702 <-> DISABLED <-> MALWARE-CNC Win.Adware.Winwrapper outbound connection (malware-cnc.rules) * 1:41701 <-> DISABLED <-> POLICY-OTHER Microsoft Active Directory DSGetNCChanges attempt (policy-other.rules) * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules) * 1:41697 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera machine.cgi information disclosure attempt (server-webapp.rules) * 1:41696 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera cloudsetup.cgi command execution attempt (server-webapp.rules) * 1:41695 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41694 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera pwdgrp.cgi command injection attempt (server-webapp.rules) * 1:41693 <-> DISABLED <-> SERVER-WEBAPP Avtech IP Camera adcommand.cgi command execution attempt (server-webapp.rules) * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-office.rules) * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-office.rules)
* 1:40446 <-> ENABLED <-> SERVER-WEBAPP Avtech IP Camera unauthenticated config access attempt (server-webapp.rules) * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:41150 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules) * 1:41151 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript navigation pane use after free attempt (file-pdf.rules) * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules) * 3:41197 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 TALOS-2017-0289 attack attempt (file-pdf.rules) * 3:41196 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 TALOS-2017-0289 attack attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
