Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-image, file-multimedia, file-other, file-pdf, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44219 <-> DISABLED <-> SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt (server-other.rules) * 1:44218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44213 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Tarayt (blacklist.rules) * 1:44212 <-> ENABLED <-> MALWARE-CNC Tarayt outbound connection attempt (malware-cnc.rules) * 1:44193 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44201 <-> DISABLED <-> SERVER-OTHER Verso NetPerformer frame relay access device telnet buffer overflow attempt (server-other.rules) * 1:44191 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman BackupDBase opcode command injection attempt (server-other.rules) * 1:44204 <-> DISABLED <-> FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt (file-other.rules) * 1:44190 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyfshent variant outbound connection (malware-cnc.rules) * 1:44202 <-> DISABLED <-> SERVER-OTHER Sybase M-Business Anywhere agSoap.exe closing tag buffer overflow attempt (server-other.rules) * 1:44197 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44203 <-> DISABLED <-> SERVER-OTHER HP Data Protector memory corruption attempt (server-other.rules) * 1:44205 <-> DISABLED <-> FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt (file-other.rules) * 1:44206 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44207 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44208 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44209 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bullrat variant outbound connection (malware-cnc.rules) * 1:44196 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44192 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44222 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44214 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Graftor (blacklist.rules) * 1:44199 <-> DISABLED <-> BROWSER-IE Microsoft Internet print table of links cross site scripting attempt (browser-ie.rules) * 1:44215 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules) * 1:44198 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44211 <-> ENABLED <-> MALWARE-CNC Tarayt outbound connection attempt (malware-cnc.rules) * 1:44200 <-> DISABLED <-> BROWSER-IE Microsoft Internet print table of links cross site scripting attempt (browser-ie.rules) * 1:44216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44194 <-> DISABLED <-> FILE-MULTIMEDIA multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:44220 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44195 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 3:44230 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44226 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44229 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44227 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44228 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44189 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0421 attack attempt (server-other.rules) * 3:44223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules)
* 1:26169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt (browser-ie.rules) * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules) * 1:42817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules) * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules) * 1:18777 <-> DISABLED <-> SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt (server-other.rules) * 1:42818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:16414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:19155 <-> DISABLED <-> SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt (server-webapp.rules) * 1:25603 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules) * 1:26168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44214 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Graftor (blacklist.rules) * 1:44198 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44213 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Tarayt (blacklist.rules) * 1:44204 <-> DISABLED <-> FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt (file-other.rules) * 1:44195 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44200 <-> DISABLED <-> BROWSER-IE Microsoft Internet print table of links cross site scripting attempt (browser-ie.rules) * 1:44201 <-> DISABLED <-> SERVER-OTHER Verso NetPerformer frame relay access device telnet buffer overflow attempt (server-other.rules) * 1:44194 <-> DISABLED <-> FILE-MULTIMEDIA multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:44196 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44197 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44203 <-> DISABLED <-> SERVER-OTHER HP Data Protector memory corruption attempt (server-other.rules) * 1:44205 <-> DISABLED <-> FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt (file-other.rules) * 1:44206 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44202 <-> DISABLED <-> SERVER-OTHER Sybase M-Business Anywhere agSoap.exe closing tag buffer overflow attempt (server-other.rules) * 1:44207 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44208 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44209 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bullrat variant outbound connection (malware-cnc.rules) * 1:44211 <-> ENABLED <-> MALWARE-CNC Tarayt outbound connection attempt (malware-cnc.rules) * 1:44212 <-> ENABLED <-> MALWARE-CNC Tarayt outbound connection attempt (malware-cnc.rules) * 1:44199 <-> DISABLED <-> BROWSER-IE Microsoft Internet print table of links cross site scripting attempt (browser-ie.rules) * 1:44215 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules) * 1:44216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44222 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44190 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyfshent variant outbound connection (malware-cnc.rules) * 1:44192 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44193 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44191 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman BackupDBase opcode command injection attempt (server-other.rules) * 1:44220 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44219 <-> DISABLED <-> SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt (server-other.rules) * 3:44229 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44230 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44227 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44228 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44226 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44189 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0421 attack attempt (server-other.rules)
* 1:26168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt (browser-ie.rules) * 1:26169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt (browser-ie.rules) * 1:42817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules) * 1:19155 <-> DISABLED <-> SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt (server-webapp.rules) * 1:42818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:16414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:18777 <-> DISABLED <-> SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt (server-other.rules) * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules) * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules) * 1:25603 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44222 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44220 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44219 <-> DISABLED <-> SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt (server-other.rules) * 1:44218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44216 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:44215 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules) * 1:44214 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Graftor (blacklist.rules) * 1:44213 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Tarayt (blacklist.rules) * 1:44212 <-> ENABLED <-> MALWARE-CNC Tarayt outbound connection attempt (malware-cnc.rules) * 1:44211 <-> ENABLED <-> MALWARE-CNC Tarayt outbound connection attempt (malware-cnc.rules) * 1:44210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bullrat variant outbound connection (malware-cnc.rules) * 1:44209 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44208 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44207 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44206 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded JS array memory corruption attempt (file-pdf.rules) * 1:44205 <-> DISABLED <-> FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt (file-other.rules) * 1:44204 <-> DISABLED <-> FILE-OTHER VideoLAN VLC Media Player Ogg/Vorbis denial of service attempt (file-other.rules) * 1:44203 <-> DISABLED <-> SERVER-OTHER HP Data Protector memory corruption attempt (server-other.rules) * 1:44202 <-> DISABLED <-> SERVER-OTHER Sybase M-Business Anywhere agSoap.exe closing tag buffer overflow attempt (server-other.rules) * 1:44201 <-> DISABLED <-> SERVER-OTHER Verso NetPerformer frame relay access device telnet buffer overflow attempt (server-other.rules) * 1:44200 <-> DISABLED <-> BROWSER-IE Microsoft Internet print table of links cross site scripting attempt (browser-ie.rules) * 1:44199 <-> DISABLED <-> BROWSER-IE Microsoft Internet print table of links cross site scripting attempt (browser-ie.rules) * 1:44198 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44197 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44196 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44195 <-> DISABLED <-> BROWSER-IE Internet Explorer CCaret memory corruption attempt (browser-ie.rules) * 1:44194 <-> DISABLED <-> FILE-MULTIMEDIA multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:44193 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44192 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44191 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman BackupDBase opcode command injection attempt (server-other.rules) * 1:44190 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyfshent variant outbound connection (malware-cnc.rules) * 3:44229 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44230 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44228 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44227 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44226 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules) * 3:44189 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0421 attack attempt (server-other.rules) * 3:44223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0406 attack attempt (file-image.rules)
* 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules) * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules) * 1:26169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt (browser-ie.rules) * 1:18777 <-> DISABLED <-> SERVER-OTHER HP data protector OmniInet service NULL dereference denial of service attempt (server-other.rules) * 1:42817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:19155 <-> DISABLED <-> SERVER-WEBAPP HP Data Protector Media Operations SignInName Parameter overflow attempt (server-webapp.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:16414 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Shell Handler remote code execution attempt (os-windows.rules) * 1:42818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader graphics module crash attempt (file-pdf.rules) * 1:26168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CCaret use after free attempt (browser-ie.rules) * 1:25603 <-> DISABLED <-> SERVER-OTHER Sybase Open Server TDS login packet stack memory corruption attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
