Talos has added and modified multiple rules in the browser-plugins, malware-cnc, malware-other, netbios, os-windows, protocol-dns, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44660 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt (server-other.rules) * 1:44648 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:44650 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules) * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:44664 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt (browser-plugins.rules) * 1:44645 <-> DISABLED <-> SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt (server-webapp.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:44652 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules) * 1:44653 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet (malware-cnc.rules) * 1:44654 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:44656 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules) * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules) * 1:44658 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt (server-webapp.rules) * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection attempt (malware-cnc.rules) * 1:44662 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules) * 1:44644 <-> DISABLED <-> SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt (server-webapp.rules) * 1:44663 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt (server-other.rules) * 1:44661 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules) * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
* 1:44306 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules) * 1:44305 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules) * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection attempt (malware-cnc.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:44645 <-> DISABLED <-> SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt (server-webapp.rules) * 1:44648 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules) * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:44650 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:44652 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules) * 1:44653 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet (malware-cnc.rules) * 1:44654 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:44656 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules) * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules) * 1:44658 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt (server-webapp.rules) * 1:44664 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt (browser-plugins.rules) * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:44663 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt (server-other.rules) * 1:44662 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules) * 1:44644 <-> DISABLED <-> SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt (server-webapp.rules) * 1:44661 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules) * 1:44660 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt (server-other.rules)
* 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules) * 1:44305 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 1:44306 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules) * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44664 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt (browser-plugins.rules) * 1:44663 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt (server-other.rules) * 1:44662 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules) * 1:44661 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules) * 1:44660 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt (server-other.rules) * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection attempt (malware-cnc.rules) * 1:44658 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt (server-webapp.rules) * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules) * 1:44656 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:44654 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules) * 1:44653 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet (malware-cnc.rules) * 1:44652 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules) * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules) * 1:44650 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules) * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:44648 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules) * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules) * 1:44645 <-> DISABLED <-> SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt (server-webapp.rules) * 1:44644 <-> DISABLED <-> SERVER-WEBAPP pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)
* 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules) * 1:44305 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 1:44306 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules) * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
