Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-image, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44872 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:44883 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules) * 1:44873 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules) * 1:44878 <-> DISABLED <-> SERVER-OTHER Mako Web Server arbitrary file upload attempt (server-other.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules) * 1:44877 <-> DISABLED <-> SERVER-OTHER Citrix XenApp and XenDesktop XML service memory corruption attempt (server-other.rules) * 1:44879 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules) * 1:44874 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules) * 1:44871 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:44864 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules) * 1:44865 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules) * 1:44881 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules) * 1:44884 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules) * 1:44885 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules) * 1:44882 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules) * 1:44866 <-> DISABLED <-> SERVER-WEBAPP Xplico decoding manager daemon command injection attempt (server-webapp.rules) * 1:44880 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)
* 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules) * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules) * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules) * 1:13638 <-> DISABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.VirusHeat (blacklist.rules) * 1:27666 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules) * 1:28614 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules) * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44877 <-> DISABLED <-> SERVER-OTHER Citrix XenApp and XenDesktop XML service memory corruption attempt (server-other.rules) * 1:44873 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules) * 1:44865 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules) * 1:44872 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:44874 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules) * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules) * 1:44871 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:44866 <-> DISABLED <-> SERVER-WEBAPP Xplico decoding manager daemon command injection attempt (server-webapp.rules) * 1:44879 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules) * 1:44864 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules) * 1:44878 <-> DISABLED <-> SERVER-OTHER Mako Web Server arbitrary file upload attempt (server-other.rules) * 1:44880 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules) * 1:44881 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules) * 1:44882 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules) * 1:44883 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:44885 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules) * 1:44884 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)
* 1:13638 <-> DISABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.VirusHeat (blacklist.rules) * 1:27666 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules) * 1:28614 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules) * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules) * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules) * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44885 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules) * 1:44884 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules) * 1:44883 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules) * 1:44882 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules) * 1:44881 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules) * 1:44880 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules) * 1:44879 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules) * 1:44878 <-> DISABLED <-> SERVER-OTHER Mako Web Server arbitrary file upload attempt (server-other.rules) * 1:44877 <-> DISABLED <-> SERVER-OTHER Citrix XenApp and XenDesktop XML service memory corruption attempt (server-other.rules) * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules) * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules) * 1:44874 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules) * 1:44873 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules) * 1:44872 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:44871 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:44866 <-> DISABLED <-> SERVER-WEBAPP Xplico decoding manager daemon command injection attempt (server-webapp.rules) * 1:44865 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules) * 1:44864 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)
* 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules) * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules) * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules) * 1:28614 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules) * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules) * 1:13638 <-> DISABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.VirusHeat (blacklist.rules) * 1:27666 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules) * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules) * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
