Talos has added and modified multiple rules in the file-flash, malware-cnc, malware-other, os-windows, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42065 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules) * 1:42052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules) * 1:42050 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules) * 1:42053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules) * 1:42056 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules) * 1:42072 <-> DISABLED <-> SERVER-WEBAPP Aultware pwStore denial of service attempt (server-webapp.rules) * 1:42055 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules) * 1:42062 <-> DISABLED <-> SERVER-WEBAPP xArrow heap corruption exploitation attempt (server-webapp.rules) * 1:42063 <-> DISABLED <-> SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt (server-webapp.rules) * 1:42049 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules) * 1:42064 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules) * 1:42057 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules) * 1:42054 <-> DISABLED <-> PROTOCOL-SCADA Moxa get SNMP read string attempt (protocol-scada.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:42059 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sage variant outbound connection (malware-cnc.rules) * 1:42058 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules) * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 3:42071 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui denial of service attempt (server-webapp.rules) * 3:42061 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui software upgrade command injection attempt (server-webapp.rules) * 3:42069 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE DHCP vendor class identifier format string exploit attempt (server-other.rules) * 3:42070 <-> ENABLED <-> SERVER-OTHER Cisco IOS L2TP invalid message digest AVP denial of service attempt (server-other.rules) * 3:42060 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP client dummy XID denial of service attempt (server-other.rules) * 3:41909 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules) * 3:41910 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules) * 3:42051 <-> ENABLED <-> SERVER-OTHER Cisco IOS autonomic networking discovery denial of service attempt (server-other.rules)
* 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules) * 1:41660 <-> DISABLED <-> MALWARE-OTHER VBScript potential executable write attempt (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules) * 1:42056 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules) * 1:42055 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules) * 1:42054 <-> DISABLED <-> PROTOCOL-SCADA Moxa get SNMP read string attempt (protocol-scada.rules) * 1:42057 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules) * 1:42059 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sage variant outbound connection (malware-cnc.rules) * 1:42050 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules) * 1:42058 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules) * 1:42052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules) * 1:42049 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules) * 1:42062 <-> DISABLED <-> SERVER-WEBAPP xArrow heap corruption exploitation attempt (server-webapp.rules) * 1:42063 <-> DISABLED <-> SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt (server-webapp.rules) * 1:42064 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules) * 1:42065 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:42072 <-> DISABLED <-> SERVER-WEBAPP Aultware pwStore denial of service attempt (server-webapp.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules) * 3:42071 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui denial of service attempt (server-webapp.rules) * 3:42070 <-> ENABLED <-> SERVER-OTHER Cisco IOS L2TP invalid message digest AVP denial of service attempt (server-other.rules) * 3:42061 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui software upgrade command injection attempt (server-webapp.rules) * 3:42051 <-> ENABLED <-> SERVER-OTHER Cisco IOS autonomic networking discovery denial of service attempt (server-other.rules) * 3:41909 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules) * 3:42060 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP client dummy XID denial of service attempt (server-other.rules) * 3:41910 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules) * 3:42069 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE DHCP vendor class identifier format string exploit attempt (server-other.rules)
* 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules) * 1:41660 <-> DISABLED <-> MALWARE-OTHER VBScript potential executable write attempt (malware-other.rules) * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42072 <-> DISABLED <-> SERVER-WEBAPP Aultware pwStore denial of service attempt (server-webapp.rules) * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules) * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules) * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules) * 1:42065 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules) * 1:42064 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules) * 1:42063 <-> DISABLED <-> SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt (server-webapp.rules) * 1:42062 <-> DISABLED <-> SERVER-WEBAPP xArrow heap corruption exploitation attempt (server-webapp.rules) * 1:42059 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sage variant outbound connection (malware-cnc.rules) * 1:42058 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules) * 1:42057 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules) * 1:42056 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules) * 1:42055 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules) * 1:42054 <-> DISABLED <-> PROTOCOL-SCADA Moxa get SNMP read string attempt (protocol-scada.rules) * 1:42053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules) * 1:42052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules) * 1:42050 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules) * 1:42049 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules) * 3:42070 <-> ENABLED <-> SERVER-OTHER Cisco IOS L2TP invalid message digest AVP denial of service attempt (server-other.rules) * 3:42071 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui denial of service attempt (server-webapp.rules) * 3:42061 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui software upgrade command injection attempt (server-webapp.rules) * 3:42069 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE DHCP vendor class identifier format string exploit attempt (server-other.rules) * 3:42051 <-> ENABLED <-> SERVER-OTHER Cisco IOS autonomic networking discovery denial of service attempt (server-other.rules) * 3:42060 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP client dummy XID denial of service attempt (server-other.rules) * 3:41909 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules) * 3:41910 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)
* 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41660 <-> DISABLED <-> MALWARE-OTHER VBScript potential executable write attempt (malware-other.rules) * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
