Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-other, os-other, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35921 <-> DISABLED <-> SERVER-OTHER General Electric Proficy malicious log forwarding request attempt (server-other.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 1:35876 <-> DISABLED <-> FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt (file-other.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:44455 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules) * 1:35889 <-> DISABLED <-> PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt (protocol-scada.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35887 <-> DISABLED <-> POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt (policy-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35917 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules) * 1:44456 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35916 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:35904 <-> DISABLED <-> SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt (server-other.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 3:44463 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules) * 3:44459 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP forward open packet processing null pointer dereference attempt (protocol-scada.rules) * 3:44458 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP get attributes all packet processing memory leak attempt (protocol-scada.rules) * 3:44457 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE Web UI user administration page access detected (policy-other.rules) * 3:44462 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules) * 3:44464 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKEv2 session initialization denial of service attempt (server-other.rules) * 3:44461 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules) * 3:44460 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)
* 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 3:7196 <-> ENABLED <-> OS-OTHER multiple operating systems DHCP option overflow attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:35916 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35904 <-> DISABLED <-> SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt (server-other.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35889 <-> DISABLED <-> PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt (protocol-scada.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:35887 <-> DISABLED <-> POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt (policy-other.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35876 <-> DISABLED <-> FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt (file-other.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35917 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:44456 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:44455 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:35921 <-> DISABLED <-> SERVER-OTHER General Electric Proficy malicious log forwarding request attempt (server-other.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 3:44463 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules) * 3:44462 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules) * 3:44461 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules) * 3:44459 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP forward open packet processing null pointer dereference attempt (protocol-scada.rules) * 3:44460 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules) * 3:44457 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE Web UI user administration page access detected (policy-other.rules) * 3:44458 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP get attributes all packet processing memory leak attempt (protocol-scada.rules) * 3:44464 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKEv2 session initialization denial of service attempt (server-other.rules)
* 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 3:7196 <-> ENABLED <-> OS-OTHER multiple operating systems DHCP option overflow attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44456 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules) * 1:44455 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules) * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules) * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules) * 1:35921 <-> DISABLED <-> SERVER-OTHER General Electric Proficy malicious log forwarding request attempt (server-other.rules) * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt (server-other.rules) * 1:35917 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules) * 1:35916 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules) * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35904 <-> DISABLED <-> SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt (server-other.rules) * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt (server-other.rules) * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules) * 1:35889 <-> DISABLED <-> PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt (protocol-scada.rules) * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules) * 1:35887 <-> DISABLED <-> POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt (policy-other.rules) * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules) * 1:35876 <-> DISABLED <-> FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt (file-other.rules) * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules) * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt (browser-ie.rules) * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt (browser-ie.rules) * 3:44457 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE Web UI user administration page access detected (policy-other.rules) * 3:44458 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP get attributes all packet processing memory leak attempt (protocol-scada.rules) * 3:44459 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP forward open packet processing null pointer dereference attempt (protocol-scada.rules) * 3:44460 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules) * 3:44461 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules) * 3:44462 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules) * 3:44463 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules) * 3:44464 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKEv2 session initialization denial of service attempt (server-other.rules)
* 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules) * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 3:7196 <-> ENABLED <-> OS-OTHER multiple operating systems DHCP option overflow attempt (os-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
