Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-office, file-other, malware-backdoor, os-windows, policy-other, server-iis, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43796 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43793 <-> DISABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43789 <-> DISABLED <-> SERVER-OTHER Solarwinds Virtualization Manager Java malicious object deserialization attempt (server-other.rules) * 1:43791 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules) * 1:43792 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules) * 1:43775 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules) * 1:43776 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules) * 1:43777 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules) * 1:43778 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt (browser-firefox.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:43780 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router buffer overflow attempt (server-webapp.rules) * 1:43781 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules) * 1:43782 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules) * 1:43783 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules) * 1:43784 <-> DISABLED <-> POLICY-OTHER D-Link DIR-645 router external authentication attempt (policy-other.rules) * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43799 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43800 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43801 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43806 <-> DISABLED <-> MALWARE-BACKDOOR HVL Rat inbound command (malware-backdoor.rules) * 1:43807 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 1:43808 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 1:43809 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt (server-webapp.rules) * 1:43810 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules) * 1:43811 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules) * 1:43812 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43818 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43790 <-> ENABLED <-> SERVER-OTHER Apache mod_auth_digest out of bounds read attempt (server-other.rules) * 1:43816 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43817 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43815 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43785 <-> DISABLED <-> POLICY-OTHER Possible Apache Continuum saveInstallation.action command injection vulnerability check (policy-other.rules) * 1:43813 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt (server-webapp.rules)
* 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:34299 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules) * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:33679 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules) * 1:33680 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules) * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:40889 <-> DISABLED <-> SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt (server-webapp.rules) * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules) * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules) * 1:41206 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server index name buffer overflow attempt (server-other.rules) * 1:41850 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43444 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:6289 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern client-to-server (malware-backdoor.rules) * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:31194 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43818 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43817 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43816 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43815 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:43813 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt (server-webapp.rules) * 1:43812 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules) * 1:43811 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules) * 1:43810 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules) * 1:43809 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt (server-webapp.rules) * 1:43808 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 1:43807 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules) * 1:43806 <-> DISABLED <-> MALWARE-BACKDOOR HVL Rat inbound command (malware-backdoor.rules) * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43801 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43800 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43799 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43796 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules) * 1:43793 <-> DISABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules) * 1:43792 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules) * 1:43791 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules) * 1:43790 <-> ENABLED <-> SERVER-OTHER Apache mod_auth_digest out of bounds read attempt (server-other.rules) * 1:43789 <-> DISABLED <-> SERVER-OTHER Solarwinds Virtualization Manager Java malicious object deserialization attempt (server-other.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43785 <-> DISABLED <-> POLICY-OTHER Possible Apache Continuum saveInstallation.action command injection vulnerability check (policy-other.rules) * 1:43784 <-> DISABLED <-> POLICY-OTHER D-Link DIR-645 router external authentication attempt (policy-other.rules) * 1:43783 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules) * 1:43782 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules) * 1:43781 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules) * 1:43780 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router buffer overflow attempt (server-webapp.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:43778 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt (browser-firefox.rules) * 1:43777 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules) * 1:43776 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules) * 1:43775 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)
* 1:31194 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules) * 1:33679 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules) * 1:33680 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules) * 1:34299 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules) * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:40889 <-> DISABLED <-> SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt (server-webapp.rules) * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules) * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules) * 1:41206 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server index name buffer overflow attempt (server-other.rules) * 1:41850 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules) * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules) * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43444 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:6289 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern client-to-server (malware-backdoor.rules) * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
