Talos has added and modified multiple rules in the app-detect, browser-ie, file-other, indicator-compromise, malware-cnc, policy-other, protocol-scada, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43147 <-> ENABLED <-> SERVER-WEBAPP IBM OpenAdmin Tool SOAP welcomeService.php PHP code injection attempt (server-webapp.rules) * 1:43146 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules) * 1:43145 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules) * 1:43144 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules) * 1:43143 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules) * 1:43142 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules) * 1:43141 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules) * 1:43140 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules) * 1:43139 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules) * 1:43138 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules) * 1:43137 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules) * 1:43136 <-> DISABLED <-> SERVER-MAIL SysGauge SMTP response buffer overflow (server-mail.rules) * 1:43134 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules) * 1:43133 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43132 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43131 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43130 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules) * 1:43126 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules) * 1:43125 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules) * 1:43124 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules) * 1:43123 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules) * 3:43135 <-> ENABLED <-> POLICY-OTHER JBoss Management console access detected (policy-other.rules) * 3:43148 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP challenge-response buffer overflow attempt (protocol-scada.rules) * 3:43149 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP certificate request unknown certificate detected (protocol-scada.rules)
* 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:20396 <-> DISABLED <-> PROTOCOL-VOIP INVITE flood attempt (protocol-voip.rules) * 1:37375 <-> DISABLED <-> SERVER-MAIL IMAP server EXAMINE command log message overflow attempt (server-mail.rules) * 1:18452 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:19436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43142 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules) * 1:43125 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules) * 1:43126 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules) * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules) * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules) * 1:43130 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:43131 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43132 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43133 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:43134 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules) * 1:43136 <-> DISABLED <-> SERVER-MAIL SysGauge SMTP response buffer overflow (server-mail.rules) * 1:43137 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules) * 1:43138 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules) * 1:43139 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules) * 1:43140 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules) * 1:43141 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules) * 1:43147 <-> ENABLED <-> SERVER-WEBAPP IBM OpenAdmin Tool SOAP welcomeService.php PHP code injection attempt (server-webapp.rules) * 1:43144 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules) * 1:43146 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules) * 1:43145 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules) * 1:43123 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules) * 1:43124 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules) * 1:43143 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules) * 3:43135 <-> ENABLED <-> POLICY-OTHER JBoss Management console access detected (policy-other.rules) * 3:43149 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP certificate request unknown certificate detected (protocol-scada.rules) * 3:43148 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP challenge-response buffer overflow attempt (protocol-scada.rules)
* 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:19436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules) * 1:37375 <-> DISABLED <-> SERVER-MAIL IMAP server EXAMINE command log message overflow attempt (server-mail.rules) * 1:18452 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules) * 1:20396 <-> DISABLED <-> PROTOCOL-VOIP INVITE flood attempt (protocol-voip.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
