Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-image, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-ftp, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42915 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42914 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42913 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42912 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42911 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42910 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42904 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42903 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42902 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42900 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection attempt (malware-cnc.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:42897 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules) * 1:42896 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules) * 1:42895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:42893 <-> DISABLED <-> SERVER-WEBAPP Eaton VURemote denial of service attempt (server-webapp.rules) * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection attempt (malware-cnc.rules) * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42889 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules) * 1:42888 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules) * 1:42886 <-> ENABLED <-> BLACKLIST User-Agent Win.Trojan.Agent malicious user agent (blacklist.rules) * 1:42885 <-> ENABLED <-> MALWARE-CNC WashingTon ssl certificate negotiation attempt (malware-cnc.rules) * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules) * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules) * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection attempt (malware-cnc.rules) * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt (malware-cnc.rules) * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt (malware-cnc.rules) * 1:42879 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules) * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules) * 1:42868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules) * 1:42867 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules) * 1:42866 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules) * 1:42865 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RRAS MIBEntryGet buffer overflow attempt (os-windows.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules) * 1:42861 <-> ENABLED <-> PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt (protocol-scada.rules) * 1:42860 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules) * 1:42859 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules) * 1:42858 <-> DISABLED <-> SERVER-WEBAPP CVS password disclosure attempt (server-webapp.rules) * 1:42857 <-> DISABLED <-> SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt (server-webapp.rules) * 1:42856 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules) * 1:42855 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules) * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules)
* 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules) * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules) * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:25670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:29188 <-> DISABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules) * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection attempt (malware-cnc.rules) * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42855 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules) * 1:42856 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules) * 1:42857 <-> DISABLED <-> SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt (server-webapp.rules) * 1:42858 <-> DISABLED <-> SERVER-WEBAPP CVS password disclosure attempt (server-webapp.rules) * 1:42859 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules) * 1:42860 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules) * 1:42861 <-> ENABLED <-> PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt (protocol-scada.rules) * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules) * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42865 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RRAS MIBEntryGet buffer overflow attempt (os-windows.rules) * 1:42866 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules) * 1:42868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules) * 1:42867 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules) * 1:42869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules) * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules) * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules) * 1:42879 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules) * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt (malware-cnc.rules) * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt (malware-cnc.rules) * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection attempt (malware-cnc.rules) * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules) * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules) * 1:42885 <-> ENABLED <-> MALWARE-CNC WashingTon ssl certificate negotiation attempt (malware-cnc.rules) * 1:42886 <-> ENABLED <-> BLACKLIST User-Agent Win.Trojan.Agent malicious user agent (blacklist.rules) * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules) * 1:42888 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules) * 1:42889 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules) * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules) * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection attempt (malware-cnc.rules) * 1:42893 <-> DISABLED <-> SERVER-WEBAPP Eaton VURemote denial of service attempt (server-webapp.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:42895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:42896 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules) * 1:42897 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:42915 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42914 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42913 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42912 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42911 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42910 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules) * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules) * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules) * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules) * 1:42904 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42903 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42902 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules) * 1:42900 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
* 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules) * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules) * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:29188 <-> DISABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:25670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules) * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
