Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42307 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules) * 1:42308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules) * 1:42296 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules) * 1:42299 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules) * 1:42297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules) * 1:42298 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:42301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response (malware-cnc.rules) * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection attempt (malware-cnc.rules) * 1:42303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt (malware-cnc.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 1:42306 <-> DISABLED <-> SERVER-WEBAPP xArrow webserver denial of service attempt (server-webapp.rules) * 1:42294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt (os-windows.rules) * 1:42309 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules) * 1:42295 <-> DISABLED <-> SERVER-WEBAPP Events HMI information disclosure attempt (server-webapp.rules) * 1:42310 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules) * 3:42293 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt (protocol-voip.rules)
* 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules) * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42307 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules) * 1:42298 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules) * 1:42294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt (os-windows.rules) * 1:42297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules) * 1:42296 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 1:42295 <-> DISABLED <-> SERVER-WEBAPP Events HMI information disclosure attempt (server-webapp.rules) * 1:42299 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:42301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response (malware-cnc.rules) * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection attempt (malware-cnc.rules) * 1:42303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt (malware-cnc.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42306 <-> DISABLED <-> SERVER-WEBAPP xArrow webserver denial of service attempt (server-webapp.rules) * 1:42310 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules) * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42309 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules) * 1:42308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules) * 3:42293 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt (protocol-voip.rules)
* 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules) * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42310 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules) * 1:42309 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules) * 1:42308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules) * 1:42307 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules) * 1:42306 <-> DISABLED <-> SERVER-WEBAPP xArrow webserver denial of service attempt (server-webapp.rules) * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules) * 1:42303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt (malware-cnc.rules) * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection attempt (malware-cnc.rules) * 1:42301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response (malware-cnc.rules) * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules) * 1:42299 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules) * 1:42298 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules) * 1:42297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules) * 1:42296 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules) * 1:42295 <-> DISABLED <-> SERVER-WEBAPP Events HMI information disclosure attempt (server-webapp.rules) * 1:42294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt (os-windows.rules) * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules) * 3:42293 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt (protocol-voip.rules)
* 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules) * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
