Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44562 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44566 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44561 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security diagnostic.log information disclosure attempt (server-webapp.rules) * 1:44564 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:44552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:44554 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected (malware-cnc.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44549 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:44548 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44567 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 3:44547 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules) * 3:44556 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection edit-nuance.do cross site scripting attempt (server-webapp.rules) * 3:41018 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44545 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules) * 3:41019 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44555 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePower Management Center cross site scripting attempt (server-webapp.rules) * 3:44537 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster UploadFile.js arbitrary file upload attempt (server-webapp.rules) * 3:44557 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection nick-name.do cross site scripting attempt (server-webapp.rules) * 3:44538 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules) * 3:44539 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules) * 3:44558 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection serviceParamEdit.do cross site scripting attempt (server-webapp.rules) * 3:44540 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules) * 3:44541 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition configuration change attempt (server-other.rules) * 3:44542 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition remote code execution attempt (server-other.rules) * 3:44543 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules) * 3:44544 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules) * 3:44546 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)
* 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules) * 1:44361 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:44359 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:44360 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules) * 1:38477 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules) * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules) * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules) * 1:38478 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44567 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44566 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security diagnostic.log information disclosure attempt (server-webapp.rules) * 1:44564 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44562 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44554 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected (malware-cnc.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44561 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44548 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:44549 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:44553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:44568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 3:44545 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules) * 3:41018 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44558 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection serviceParamEdit.do cross site scripting attempt (server-webapp.rules) * 3:41019 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44537 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster UploadFile.js arbitrary file upload attempt (server-webapp.rules) * 3:44555 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePower Management Center cross site scripting attempt (server-webapp.rules) * 3:44557 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection nick-name.do cross site scripting attempt (server-webapp.rules) * 3:44538 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules) * 3:44539 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules) * 3:44540 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules) * 3:44541 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition configuration change attempt (server-other.rules) * 3:44542 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition remote code execution attempt (server-other.rules) * 3:44543 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules) * 3:44556 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection edit-nuance.do cross site scripting attempt (server-webapp.rules) * 3:44544 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules) * 3:44546 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules) * 3:44547 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)
* 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules) * 1:38477 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:44361 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules) * 1:38478 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules) * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules) * 1:44359 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:44360 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules) * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44567 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44566 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules) * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security diagnostic.log information disclosure attempt (server-webapp.rules) * 1:44564 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44562 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44561 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules) * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules) * 1:44554 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected (malware-cnc.rules) * 1:44553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:44552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules) * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules) * 1:44549 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:44548 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 3:44545 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules) * 3:41018 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:41019 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44537 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster UploadFile.js arbitrary file upload attempt (server-webapp.rules) * 3:44558 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection serviceParamEdit.do cross site scripting attempt (server-webapp.rules) * 3:44538 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules) * 3:44539 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules) * 3:44540 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules) * 3:44541 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition configuration change attempt (server-other.rules) * 3:44542 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition remote code execution attempt (server-other.rules) * 3:44543 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules) * 3:44544 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules) * 3:44556 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection edit-nuance.do cross site scripting attempt (server-webapp.rules) * 3:44557 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection nick-name.do cross site scripting attempt (server-webapp.rules) * 3:44555 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePower Management Center cross site scripting attempt (server-webapp.rules) * 3:44546 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules) * 3:44547 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)
* 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules) * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules) * 1:44361 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:38477 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules) * 1:38478 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules) * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules) * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules) * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules) * 1:44359 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules) * 1:44360 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
