Talos has added and modified multiple rules in the blacklist, malware-cnc, malware-other, policy-social, protocol-rpc, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules) * 1:45112 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules) * 1:45115 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45113 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules) * 1:45114 <-> ENABLED <-> MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection (malware-cnc.rules) * 1:45109 <-> DISABLED <-> SERVER-WEBAPP OrientDB remote code execution attempt (server-webapp.rules) * 1:45111 <-> DISABLED <-> SERVER-WEBAPP OrientDB database query attempt (server-webapp.rules) * 1:45119 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45108 <-> DISABLED <-> PROTOCOL-RPC XDR string allocation denial of service attempt (protocol-rpc.rules) * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules) * 1:45118 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45116 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45110 <-> DISABLED <-> SERVER-WEBAPP OrientDB privilege escalation attempt (server-webapp.rules)
* 1:29658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C (blacklist.rules) * 1:20694 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection (malware-cnc.rules) * 1:19392 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:29657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C (blacklist.rules) * 1:34835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound connection (malware-cnc.rules) * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:1790 <-> DISABLED <-> POLICY-SOCIAL IRC dns response (policy-social.rules) * 1:1605 <-> DISABLED <-> SERVER-OTHER iParty DOS attempt (server-other.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:37101 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nessfi outbound connection (malware-cnc.rules) * 1:29656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C (blacklist.rules) * 1:29659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C (blacklist.rules) * 1:34799 <-> ENABLED <-> SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules) * 1:45113 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules) * 1:45114 <-> ENABLED <-> MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection (malware-cnc.rules) * 1:45118 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45109 <-> DISABLED <-> SERVER-WEBAPP OrientDB remote code execution attempt (server-webapp.rules) * 1:45116 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45115 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45110 <-> DISABLED <-> SERVER-WEBAPP OrientDB privilege escalation attempt (server-webapp.rules) * 1:45108 <-> DISABLED <-> PROTOCOL-RPC XDR string allocation denial of service attempt (protocol-rpc.rules) * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules) * 1:45112 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules) * 1:45119 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45111 <-> DISABLED <-> SERVER-WEBAPP OrientDB database query attempt (server-webapp.rules)
* 1:29656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C (blacklist.rules) * 1:37101 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nessfi outbound connection (malware-cnc.rules) * 1:20694 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection (malware-cnc.rules) * 1:29658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C (blacklist.rules) * 1:29659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C (blacklist.rules) * 1:1605 <-> DISABLED <-> SERVER-OTHER iParty DOS attempt (server-other.rules) * 1:34799 <-> ENABLED <-> SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt (server-webapp.rules) * 1:19392 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:34835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound connection (malware-cnc.rules) * 1:1790 <-> DISABLED <-> POLICY-SOCIAL IRC dns response (policy-social.rules) * 1:29657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C (blacklist.rules) * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45119 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45118 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules) * 1:45116 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45115 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules) * 1:45114 <-> ENABLED <-> MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection (malware-cnc.rules) * 1:45113 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules) * 1:45112 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules) * 1:45111 <-> DISABLED <-> SERVER-WEBAPP OrientDB database query attempt (server-webapp.rules) * 1:45110 <-> DISABLED <-> SERVER-WEBAPP OrientDB privilege escalation attempt (server-webapp.rules) * 1:45109 <-> DISABLED <-> SERVER-WEBAPP OrientDB remote code execution attempt (server-webapp.rules) * 1:45108 <-> DISABLED <-> PROTOCOL-RPC XDR string allocation denial of service attempt (protocol-rpc.rules) * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
* 1:29657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C (blacklist.rules) * 1:29658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C (blacklist.rules) * 1:20694 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection (malware-cnc.rules) * 1:29656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C (blacklist.rules) * 1:1790 <-> DISABLED <-> POLICY-SOCIAL IRC dns response (policy-social.rules) * 1:19392 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules) * 1:1605 <-> DISABLED <-> SERVER-OTHER iParty DOS attempt (server-other.rules) * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules) * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules) * 1:34835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound connection (malware-cnc.rules) * 1:37101 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nessfi outbound connection (malware-cnc.rules) * 1:34799 <-> ENABLED <-> SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt (server-webapp.rules) * 1:29659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C (blacklist.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
