Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-image, file-other, indicator-scan, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41816 <-> DISABLED <-> POLICY-OTHER ElasticSearch cluster health access detected (policy-other.rules) * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41796 <-> DISABLED <-> POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected (policy-other.rules) * 1:41795 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41792 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules) * 1:41791 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules) * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41797 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules) * 1:41798 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules) * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41803 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41804 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41805 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41806 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41807 <-> DISABLED <-> POLICY-OTHER SSLv3 Client Hello attempt (policy-other.rules) * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules) * 1:41811 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41794 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules) * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules) * 1:41810 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41812 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
* 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules) * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules) * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:41744 <-> DISABLED <-> POLICY-OTHER Cisco IOS configuration transfer via TFTP detected (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41791 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41792 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules) * 1:41794 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules) * 1:41796 <-> DISABLED <-> POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected (policy-other.rules) * 1:41797 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules) * 1:41798 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules) * 1:41795 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules) * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41803 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41804 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41805 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41806 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41807 <-> DISABLED <-> POLICY-OTHER SSLv3 Client Hello attempt (policy-other.rules) * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules) * 1:41816 <-> DISABLED <-> POLICY-OTHER ElasticSearch cluster health access detected (policy-other.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:41812 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41810 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules) * 1:41811 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
* 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules) * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules) * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:41744 <-> DISABLED <-> POLICY-OTHER Cisco IOS configuration transfer via TFTP detected (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41816 <-> DISABLED <-> POLICY-OTHER ElasticSearch cluster health access detected (policy-other.rules) * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules) * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:41812 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41811 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41810 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules) * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules) * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules) * 1:41807 <-> DISABLED <-> POLICY-OTHER SSLv3 Client Hello attempt (policy-other.rules) * 1:41806 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41805 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41804 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41803 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules) * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules) * 1:41798 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules) * 1:41797 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules) * 1:41796 <-> DISABLED <-> POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected (policy-other.rules) * 1:41795 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules) * 1:41794 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules) * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules) * 1:41792 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules) * 1:41791 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules) * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
* 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules) * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules) * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:41744 <-> DISABLED <-> POLICY-OTHER Cisco IOS configuration transfer via TFTP detected (policy-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
