Talos has added and modified multiple rules in the app-detect, browser-ie, browser-other, file-multimedia, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, server-apache, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules) * 1:43577 <-> DISABLED <-> SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt (server-webapp.rules) * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43573 <-> DISABLED <-> SERVER-OTHER Cisco IOS DHCP denial of service attempt (server-other.rules) * 1:43578 <-> DISABLED <-> MALWARE-CNC Android.Trojan.DroidKungFu outbound connection (malware-cnc.rules) * 1:43575 <-> ENABLED <-> MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt (malware-cnc.rules) * 1:43576 <-> DISABLED <-> INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt (indicator-compromise.rules) * 1:43569 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43574 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server command injection attempt (server-webapp.rules) * 1:43571 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43572 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:43570 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43567 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules) * 1:43568 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules) * 1:43566 <-> DISABLED <-> SERVER-OTHER LAN Messenger initiation request buffer overflow attempt (server-other.rules) * 1:43564 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user creation detected (policy-other.rules) * 1:43562 <-> DISABLED <-> POLICY-OTHER Teleopti WFM database information request detected (policy-other.rules) * 1:43563 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user credentials request detected (policy-other.rules) * 1:43584 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43583 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43585 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43586 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43588 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules) * 1:43589 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules) * 1:43590 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules) * 1:43591 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43592 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43593 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43594 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43595 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt (server-webapp.rules) * 1:43596 <-> DISABLED <-> SERVER-OTHER Oracle Demantra information disclosure attempt (server-other.rules) * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules) * 1:43582 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt (file-other.rules)
* 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:16221 <-> DISABLED <-> OS-WINDOWS Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt (os-windows.rules) * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules) * 1:26468 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules) * 1:26469 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:29374 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules) * 1:29375 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules) * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules) * 1:29627 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt (server-other.rules) * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules) * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:30850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:30851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules) * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules) * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules) * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules) * 1:42255 <-> DISABLED <-> OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt (os-windows.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:43390 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt (server-webapp.rules) * 3:42438 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP parsing integer overflow attempt (server-mail.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43596 <-> DISABLED <-> SERVER-OTHER Oracle Demantra information disclosure attempt (server-other.rules) * 1:43595 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt (server-webapp.rules) * 1:43594 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43593 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43592 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43591 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules) * 1:43590 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules) * 1:43589 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules) * 1:43588 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules) * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules) * 1:43586 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43585 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43584 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43583 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules) * 1:43582 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt (file-other.rules) * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules) * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43578 <-> DISABLED <-> MALWARE-CNC Android.Trojan.DroidKungFu outbound connection (malware-cnc.rules) * 1:43577 <-> DISABLED <-> SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt (server-webapp.rules) * 1:43576 <-> DISABLED <-> INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt (indicator-compromise.rules) * 1:43575 <-> ENABLED <-> MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt (malware-cnc.rules) * 1:43574 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server command injection attempt (server-webapp.rules) * 1:43573 <-> DISABLED <-> SERVER-OTHER Cisco IOS DHCP denial of service attempt (server-other.rules) * 1:43572 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43571 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43570 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43569 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules) * 1:43568 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules) * 1:43567 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules) * 1:43566 <-> DISABLED <-> SERVER-OTHER LAN Messenger initiation request buffer overflow attempt (server-other.rules) * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules) * 1:43564 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user creation detected (policy-other.rules) * 1:43563 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user credentials request detected (policy-other.rules) * 1:43562 <-> DISABLED <-> POLICY-OTHER Teleopti WFM database information request detected (policy-other.rules)
* 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:16221 <-> DISABLED <-> OS-WINDOWS Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt (os-windows.rules) * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules) * 1:26468 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules) * 1:26469 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules) * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:29374 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules) * 1:29375 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules) * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules) * 1:29627 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt (server-other.rules) * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules) * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:30850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:30851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules) * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules) * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules) * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules) * 1:42255 <-> DISABLED <-> OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt (os-windows.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:43390 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt (server-webapp.rules) * 3:42438 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP parsing integer overflow attempt (server-mail.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
