Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44581 <-> DISABLED <-> SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt (server-other.rules) * 1:44577 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt (server-other.rules) * 1:44578 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt (server-webapp.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44576 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt (server-other.rules) * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:44571 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44572 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:44604 <-> DISABLED <-> SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt (server-other.rules) * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules) * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules) * 1:44573 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44574 <-> DISABLED <-> SERVER-OTHER Ipass Client control pipe remote code execution attempt (server-other.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules) * 1:44584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules) * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules) * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange (malware-cnc.rules) * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange (malware-cnc.rules) * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules) * 3:44606 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44593 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules) * 3:44594 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules) * 3:44605 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44590 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules) * 3:44589 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)
* 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules) * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt (server-other.rules) * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules) * 1:17572 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules) * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44578 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt (server-webapp.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:44572 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:44574 <-> DISABLED <-> SERVER-OTHER Ipass Client control pipe remote code execution attempt (server-other.rules) * 1:44571 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44576 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt (server-other.rules) * 1:44577 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt (server-other.rules) * 1:44581 <-> DISABLED <-> SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt (server-other.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules) * 1:44584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules) * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules) * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange (malware-cnc.rules) * 1:44592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange (malware-cnc.rules) * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules) * 1:44604 <-> DISABLED <-> SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt (server-other.rules) * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules) * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules) * 1:44573 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 3:44606 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44594 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules) * 3:44605 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44593 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules) * 3:44589 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules) * 3:44590 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)
* 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules) * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules) * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt (server-other.rules) * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules) * 1:17572 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44604 <-> DISABLED <-> SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt (server-other.rules) * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules) * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules) * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules) * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules) * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules) * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules) * 1:44592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange (malware-cnc.rules) * 1:44591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange (malware-cnc.rules) * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules) * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules) * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules) * 1:44584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules) * 1:44583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules) * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules) * 1:44581 <-> DISABLED <-> SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt (server-other.rules) * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules) * 1:44578 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt (server-webapp.rules) * 1:44577 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt (server-other.rules) * 1:44576 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt (server-other.rules) * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules) * 1:44574 <-> DISABLED <-> SERVER-OTHER Ipass Client control pipe remote code execution attempt (server-other.rules) * 1:44573 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44572 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44571 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules) * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules) * 3:44605 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44606 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules) * 3:44594 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules) * 3:44593 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules) * 3:44589 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules) * 3:44590 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)
* 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules) * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules) * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt (server-other.rules) * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules) * 1:17572 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
