Talos has added and modified multiple rules in the browser-ie, indicator-compromise, indicator-obfuscation, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44629 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules) * 1:44609 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44607 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules) * 1:44613 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules) * 1:44612 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules) * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules) * 1:44611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules) * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:44628 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44630 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44608 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 3:44614 <-> ENABLED <-> SERVER-WEBAPP D-Link soap.cgi service command injection attempt (server-webapp.rules) * 3:44624 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44625 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44626 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44627 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
* 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules) * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules) * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44609 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules) * 1:44612 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules) * 1:44611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules) * 1:44608 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44613 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:44616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44607 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules) * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules) * 1:44630 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44629 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44628 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 3:44614 <-> ENABLED <-> SERVER-WEBAPP D-Link soap.cgi service command injection attempt (server-webapp.rules) * 3:44624 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44625 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44626 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44627 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
* 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules) * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules) * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules) * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules) * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules) * 1:44630 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44629 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44628 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules) * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules) * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules) * 1:44618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules) * 1:44613 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules) * 1:44612 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules) * 1:44611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules) * 1:44610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules) * 1:44609 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44608 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 1:44607 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules) * 3:44614 <-> ENABLED <-> SERVER-WEBAPP D-Link soap.cgi service command injection attempt (server-webapp.rules) * 3:44624 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44625 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44626 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules) * 3:44627 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
* 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules) * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules) * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
