Talos has added and modified multiple rules in the browser-ie, browser-plugins, browser-webkit, file-flash, file-image, file-multimedia, file-other, indicator-obfuscation, indicator-shellcode, malware-cnc, os-windows, protocol-ftp, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43269 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules) * 1:43260 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43258 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules) * 1:43259 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules) * 1:43257 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules) * 1:43254 <-> DISABLED <-> INDICATOR-SHELLCODE KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets (indicator-shellcode.rules) * 1:43255 <-> DISABLED <-> INDICATOR-SHELLCODE single byte x86 xor decryption routine (indicator-shellcode.rules) * 1:43252 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules) * 1:43253 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt (protocol-scada.rules) * 1:43250 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject directory traversal attempt (server-webapp.rules) * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules) * 1:43249 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject arbitrary JSP file upload attempt (server-webapp.rules) * 1:43247 <-> DISABLED <-> SERVER-APACHE Apache Rave information disclosure attempt (server-apache.rules) * 1:43248 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool installation (malware-cnc.rules) * 1:43240 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43243 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43244 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules) * 1:43242 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43245 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules) * 1:43246 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules) * 1:43261 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43262 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43263 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules) * 1:43264 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43265 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43266 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43241 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules) * 1:43280 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules) * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules) * 1:43278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43276 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43275 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43274 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43273 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43270 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules) * 1:43239 <-> DISABLED <-> PROTOCOL-FTP WS-FTP REST command overly large file creation attempt (protocol-ftp.rules) * 1:43272 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules) * 3:43271 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure XML external entity injection attempt (server-webapp.rules)
* 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:20737 <-> DISABLED <-> SERVER-WEBAPP 427BB cookie-based authentication bypass attempt (server-webapp.rules) * 1:19008 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt (browser-webkit.rules) * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:35015 <-> ENABLED <-> SERVER-WEBAPP Centreon GetXmlTree.php SQL injection attempt (server-webapp.rules) * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43280 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules) * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules) * 1:43278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43276 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43275 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43274 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43273 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43272 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43270 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules) * 1:43269 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules) * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43266 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43265 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:43264 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43263 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43262 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43261 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43260 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43259 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules) * 1:43258 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules) * 1:43257 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules) * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules) * 1:43255 <-> DISABLED <-> INDICATOR-SHELLCODE single byte x86 xor decryption routine (indicator-shellcode.rules) * 1:43254 <-> DISABLED <-> INDICATOR-SHELLCODE KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets (indicator-shellcode.rules) * 1:43253 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt (protocol-scada.rules) * 1:43252 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules) * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules) * 1:43250 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject directory traversal attempt (server-webapp.rules) * 1:43249 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject arbitrary JSP file upload attempt (server-webapp.rules) * 1:43248 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool installation (malware-cnc.rules) * 1:43247 <-> DISABLED <-> SERVER-APACHE Apache Rave information disclosure attempt (server-apache.rules) * 1:43246 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules) * 1:43245 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules) * 1:43244 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules) * 1:43243 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43242 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43241 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43240 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner ActiveX clsid access attempt (browser-plugins.rules) * 1:43239 <-> DISABLED <-> PROTOCOL-FTP WS-FTP REST command overly large file creation attempt (protocol-ftp.rules) * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules) * 3:43271 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure XML external entity injection attempt (server-webapp.rules)
* 1:19008 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt (browser-webkit.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules) * 1:35015 <-> ENABLED <-> SERVER-WEBAPP Centreon GetXmlTree.php SQL injection attempt (server-webapp.rules) * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules) * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules) * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:20737 <-> DISABLED <-> SERVER-WEBAPP 427BB cookie-based authentication bypass attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
