Talos has added and modified multiple rules in the indicator-compromise, policy-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44705 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44718 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44719 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44716 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44720 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44717 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules) * 1:44715 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules) * 1:44706 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44704 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44721 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt (server-other.rules) * 1:44703 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter windows x64 reverse_tcp stage payload download attempt (indicator-compromise.rules) * 3:44707 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44726 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientStatisticTable OID memory leak attempt (protocol-snmp.rules) * 3:44724 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Smart Licensing command injection attempt (server-webapp.rules) * 3:44723 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules) * 3:44708 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44713 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules) * 3:44709 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44710 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44711 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44712 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules) * 3:44727 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientTable OID memory leak attempt (protocol-snmp.rules) * 3:44722 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules) * 3:44714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)
* 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44721 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt (server-other.rules) * 1:44705 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44703 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44704 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44715 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules) * 1:44716 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44717 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules) * 1:44706 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44718 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44719 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44720 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter windows x64 reverse_tcp stage payload download attempt (indicator-compromise.rules) * 3:44722 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules) * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules) * 3:44724 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Smart Licensing command injection attempt (server-webapp.rules) * 3:44712 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44708 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44710 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44713 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules) * 3:44711 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44709 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44707 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44727 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientTable OID memory leak attempt (protocol-snmp.rules) * 3:44723 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules) * 3:44726 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientStatisticTable OID memory leak attempt (protocol-snmp.rules) * 3:44714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)
* 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter windows x64 reverse_tcp stage payload download attempt (indicator-compromise.rules) * 1:44721 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt (server-other.rules) * 1:44720 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44719 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44718 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44717 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules) * 1:44716 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules) * 1:44715 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules) * 1:44706 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44705 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44704 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 1:44703 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules) * 3:44712 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44713 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules) * 3:44710 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44711 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44708 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44709 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44707 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules) * 3:44727 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientTable OID memory leak attempt (protocol-snmp.rules) * 3:44726 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientStatisticTable OID memory leak attempt (protocol-snmp.rules) * 3:44723 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules) * 3:44724 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Smart Licensing command injection attempt (server-webapp.rules) * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules) * 3:44722 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules) * 3:44714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)
* 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
