Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-office, file-other, file-pdf, malware-cnc, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45075 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45076 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45067 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:45066 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules) * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45078 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules) * 1:45073 <-> DISABLED <-> SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt (server-webapp.rules) * 1:45071 <-> ENABLED <-> SERVER-SAMBA Samba write and unlock command memory leak attempt (server-samba.rules) * 1:45072 <-> ENABLED <-> SERVER-SAMBA Samba write command memory leak attempt (server-samba.rules) * 1:45053 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45070 <-> ENABLED <-> SERVER-SAMBA Samba write and close command memory leak attempt (server-samba.rules) * 1:45056 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45081 <-> DISABLED <-> SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt (server-other.rules) * 1:45057 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45058 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules) * 1:45059 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45055 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45080 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror malicious flash file load attempt (exploit-kit.rules) * 1:45069 <-> ENABLED <-> SERVER-SAMBA Samba write andx command memory leak attempt (server-samba.rules) * 1:45079 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules) * 1:45051 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Tool.SMSBomber (blacklist.rules) * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection attempt (malware-cnc.rules) * 1:45054 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45077 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
* 1:32428 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules) * 1:32429 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules) * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules) * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:45069 <-> ENABLED <-> SERVER-SAMBA Samba write andx command memory leak attempt (server-samba.rules) * 1:45059 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules) * 1:45053 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45054 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45056 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45057 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45058 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45066 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules) * 1:45067 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules) * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection attempt (malware-cnc.rules) * 1:45070 <-> ENABLED <-> SERVER-SAMBA Samba write and close command memory leak attempt (server-samba.rules) * 1:45071 <-> ENABLED <-> SERVER-SAMBA Samba write and unlock command memory leak attempt (server-samba.rules) * 1:45072 <-> ENABLED <-> SERVER-SAMBA Samba write command memory leak attempt (server-samba.rules) * 1:45073 <-> DISABLED <-> SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt (server-webapp.rules) * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45081 <-> DISABLED <-> SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt (server-other.rules) * 1:45080 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror malicious flash file load attempt (exploit-kit.rules) * 1:45079 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules) * 1:45055 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45078 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules) * 1:45076 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45077 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45075 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45051 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Tool.SMSBomber (blacklist.rules)
* 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules) * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules) * 1:32428 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules) * 1:32429 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45081 <-> DISABLED <-> SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt (server-other.rules) * 1:45080 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror malicious flash file load attempt (exploit-kit.rules) * 1:45079 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules) * 1:45078 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules) * 1:45077 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45076 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45075 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules) * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules) * 1:45073 <-> DISABLED <-> SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt (server-webapp.rules) * 1:45072 <-> ENABLED <-> SERVER-SAMBA Samba write command memory leak attempt (server-samba.rules) * 1:45071 <-> ENABLED <-> SERVER-SAMBA Samba write and unlock command memory leak attempt (server-samba.rules) * 1:45070 <-> ENABLED <-> SERVER-SAMBA Samba write and close command memory leak attempt (server-samba.rules) * 1:45069 <-> ENABLED <-> SERVER-SAMBA Samba write andx command memory leak attempt (server-samba.rules) * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules) * 1:45067 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules) * 1:45066 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules) * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules) * 1:45059 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules) * 1:45058 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules) * 1:45057 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45056 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45055 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45054 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45053 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules) * 1:45051 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Tool.SMSBomber (blacklist.rules) * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection attempt (malware-cnc.rules)
* 1:32428 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules) * 1:32429 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules) * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules) * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
