Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44096 <-> DISABLED <-> MALWARE-TOOLS Request to service that provices external IP address detected (malware-tools.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44075 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:44072 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44104 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules) * 1:44080 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules) * 1:44091 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44089 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules) * 1:44081 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules) * 1:44079 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules) * 1:44103 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44105 <-> DISABLED <-> SERVER-OTHER WebPageTests upload feature remote file upload attempt (server-other.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44088 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44073 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44074 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44098 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 3:44082 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0420 attack attempt (server-other.rules) * 3:44071 <-> ENABLED <-> SERVER-OTHER Objectivity DB lock server buffer overflow attempt (server-other.rules) * 3:44093 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules) * 3:44101 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules) * 3:44092 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules) * 3:44070 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0418 attack attempt (server-other.rules) * 3:44102 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)
* 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules) * 1:16064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules) * 1:23405 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules) * 1:23406 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44098 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44096 <-> DISABLED <-> MALWARE-TOOLS Request to service that provices external IP address detected (malware-tools.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44091 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44089 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44080 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules) * 1:44072 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44073 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44074 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:44079 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules) * 1:44081 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44088 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44075 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44105 <-> DISABLED <-> SERVER-OTHER WebPageTests upload feature remote file upload attempt (server-other.rules) * 1:44104 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules) * 1:44103 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 3:44101 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules) * 3:44093 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules) * 3:44092 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules) * 3:44071 <-> ENABLED <-> SERVER-OTHER Objectivity DB lock server buffer overflow attempt (server-other.rules) * 3:44082 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0420 attack attempt (server-other.rules) * 3:44070 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0418 attack attempt (server-other.rules) * 3:44102 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)
* 1:16064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules) * 1:23405 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules) * 1:23406 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules) * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44105 <-> DISABLED <-> SERVER-OTHER WebPageTests upload feature remote file upload attempt (server-other.rules) * 1:44104 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules) * 1:44103 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:44098 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44096 <-> DISABLED <-> MALWARE-TOOLS Request to service that provices external IP address detected (malware-tools.rules) * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules) * 1:44091 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44089 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44088 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules) * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules) * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules) * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules) * 1:44081 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules) * 1:44080 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules) * 1:44079 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules) * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules) * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules) * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules) * 1:44075 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44074 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44073 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 1:44072 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules) * 3:44070 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0418 attack attempt (server-other.rules) * 3:44071 <-> ENABLED <-> SERVER-OTHER Objectivity DB lock server buffer overflow attempt (server-other.rules) * 3:44082 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0420 attack attempt (server-other.rules) * 3:44092 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules) * 3:44093 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules) * 3:44101 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules) * 3:44102 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)
* 1:23405 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules) * 1:23406 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules) * 1:16064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules) * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
