Talos has added and modified multiple rules in the file-office, file-other, indicator-compromise, malware-cnc, protocol-dns, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44418 <-> DISABLED <-> SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt (server-other.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44388 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules) * 1:44389 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules) * 1:44390 <-> DISABLED <-> SERVER-WEBAPP PHP form-based file upload DoS attempt (server-webapp.rules) * 1:44392 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44393 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44394 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules) * 1:44395 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules) * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound communication (malware-cnc.rules) * 1:44399 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44400 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44401 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44382 <-> DISABLED <-> SERVER-OTHER D-Link router remote reboot attempt (server-other.rules) * 3:44381 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0449 attack attempt (server-webapp.rules) * 3:44397 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules) * 3:44379 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS ipnat_dns_shift_data integer underflow attempt (protocol-dns.rules) * 3:44417 <-> ENABLED <-> SERVER-WEBAPP Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt (server-webapp.rules) * 3:44398 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules) * 3:44380 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0450 attack attempt (server-webapp.rules)
* 1:44327 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules) * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules) * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules) * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules) * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules) * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44394 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44388 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44389 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules) * 1:44390 <-> DISABLED <-> SERVER-WEBAPP PHP form-based file upload DoS attempt (server-webapp.rules) * 1:44391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44392 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44393 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44395 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules) * 1:44382 <-> DISABLED <-> SERVER-OTHER D-Link router remote reboot attempt (server-other.rules) * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound communication (malware-cnc.rules) * 1:44399 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44400 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44401 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44418 <-> DISABLED <-> SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt (server-other.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 3:44379 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS ipnat_dns_shift_data integer underflow attempt (protocol-dns.rules) * 3:44397 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules) * 3:44417 <-> ENABLED <-> SERVER-WEBAPP Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt (server-webapp.rules) * 3:44398 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules) * 3:44381 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0449 attack attempt (server-webapp.rules) * 3:44380 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0450 attack attempt (server-webapp.rules)
* 1:44327 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules) * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules) * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules) * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules) * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules) * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44418 <-> DISABLED <-> SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt (server-other.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44401 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44400 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44399 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules) * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound communication (malware-cnc.rules) * 1:44395 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules) * 1:44394 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules) * 1:44393 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44392 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules) * 1:44390 <-> DISABLED <-> SERVER-WEBAPP PHP form-based file upload DoS attempt (server-webapp.rules) * 1:44389 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules) * 1:44388 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules) * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules) * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules) * 1:44382 <-> DISABLED <-> SERVER-OTHER D-Link router remote reboot attempt (server-other.rules) * 3:44379 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS ipnat_dns_shift_data integer underflow attempt (protocol-dns.rules) * 3:44380 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0450 attack attempt (server-webapp.rules) * 3:44381 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0449 attack attempt (server-webapp.rules) * 3:44397 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules) * 3:44398 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules) * 3:44417 <-> ENABLED <-> SERVER-WEBAPP Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt (server-webapp.rules)
* 1:44327 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules) * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules) * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules) * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules) * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules) * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
