Talos has added and modified multiple rules in the browser-chrome, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-image, file-multimedia, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:43931 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit shellcode detected (exploit-kit.rules) * 1:43932 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit FlashVars parameter shellcode (exploit-kit.rules) * 1:43929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt (malware-cnc.rules) * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection attempt (malware-cnc.rules) * 1:43927 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:43926 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43920 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kradod connection attempt (malware-cnc.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43919 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:43971 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules) * 1:43970 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules) * 1:43976 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules) * 1:43975 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43933 <-> DISABLED <-> INDICATOR-COMPROMISE VBScript accessing scripting API for WMI (indicator-compromise.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:43943 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules) * 1:43944 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Globeimposter outbound connection (malware-cnc.rules) * 1:43951 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules) * 1:43952 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules) * 1:43953 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules) * 1:43954 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules) * 1:43955 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules) * 1:43956 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules) * 1:43957 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (server-webapp.rules) * 1:43959 <-> DISABLED <-> SERVER-OTHER Sybase Open Server function pointer array code execution attempt (server-other.rules) * 1:43960 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules) * 1:43958 <-> DISABLED <-> SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt (server-webapp.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules) * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
* 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt (os-windows.rules) * 1:7114 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:7113 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection (malware-backdoor.rules) * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules) * 1:26160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:26161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules) * 1:26158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:20742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules) * 1:26157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:18286 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules) * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules) * 1:16734 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules) * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43960 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules) * 1:43915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43919 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43920 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43926 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules) * 1:43927 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:43929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt (malware-cnc.rules) * 1:43932 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit FlashVars parameter shellcode (exploit-kit.rules) * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection attempt (malware-cnc.rules) * 1:43933 <-> DISABLED <-> INDICATOR-COMPROMISE VBScript accessing scripting API for WMI (indicator-compromise.rules) * 1:43931 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit shellcode detected (exploit-kit.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:43943 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules) * 1:43944 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Globeimposter outbound connection (malware-cnc.rules) * 1:43951 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules) * 1:43952 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules) * 1:43953 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules) * 1:43954 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules) * 1:43955 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules) * 1:43956 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules) * 1:43957 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (server-webapp.rules) * 1:43958 <-> DISABLED <-> SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt (server-webapp.rules) * 1:43959 <-> DISABLED <-> SERVER-OTHER Sybase Open Server function pointer array code execution attempt (server-other.rules) * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43976 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules) * 1:43975 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:43971 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules) * 1:43970 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules) * 1:43969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kradod connection attempt (malware-cnc.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules) * 1:43965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
* 1:7114 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules) * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt (os-windows.rules) * 1:7113 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection (malware-backdoor.rules) * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules) * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules) * 1:26160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:26161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:26157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:26158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:20742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules) * 1:16734 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules) * 1:18286 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules) * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules) * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules) * 1:43976 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules) * 1:43975 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules) * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules) * 1:43972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:43971 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules) * 1:43970 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules) * 1:43969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kradod connection attempt (malware-cnc.rules) * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules) * 1:43966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules) * 1:43965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules) * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules) * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules) * 1:43960 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules) * 1:43959 <-> DISABLED <-> SERVER-OTHER Sybase Open Server function pointer array code execution attempt (server-other.rules) * 1:43958 <-> DISABLED <-> SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt (server-webapp.rules) * 1:43957 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (server-webapp.rules) * 1:43956 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules) * 1:43955 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules) * 1:43954 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules) * 1:43953 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules) * 1:43952 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules) * 1:43951 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules) * 1:43950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Globeimposter outbound connection (malware-cnc.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:43944 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules) * 1:43943 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules) * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules) * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules) * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules) * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:43933 <-> DISABLED <-> INDICATOR-COMPROMISE VBScript accessing scripting API for WMI (indicator-compromise.rules) * 1:43932 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit FlashVars parameter shellcode (exploit-kit.rules) * 1:43931 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit shellcode detected (exploit-kit.rules) * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection attempt (malware-cnc.rules) * 1:43929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt (malware-cnc.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:43927 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules) * 1:43926 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules) * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules) * 1:43923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43920 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43919 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules) * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules) * 1:43915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules) * 1:43914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules) * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules) * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules) * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules) * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
* 1:7113 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection (malware-backdoor.rules) * 1:7114 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules) * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt (os-windows.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:26161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules) * 1:26158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:26160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules) * 1:26157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules) * 1:18286 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules) * 1:20742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules) * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules) * 1:16734 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules) * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
