Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-executable, file-other, malware-cnc, malware-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45205 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules) * 1:45200 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45203 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:45219 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt (server-webapp.rules) * 1:45212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45204 <-> DISABLED <-> SERVER-WEBAPP ActiveCalendar css cross site scripting attempt (server-webapp.rules) * 1:45207 <-> DISABLED <-> PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt (protocol-scada.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45201 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45213 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45202 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:45221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nautilus outbound call (malware-cnc.rules) * 1:45198 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt (server-other.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:45218 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt (server-webapp.rules) * 1:45209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules) * 1:45199 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 3:45216 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules) * 3:45217 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules) * 3:45220 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0507 attack attempt (server-other.rules) * 3:45222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules) * 3:45223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)
* 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:39107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection (malware-cnc.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:31325 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules) * 1:39106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection (malware-cnc.rules) * 1:17363 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules) * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules) * 1:31513 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45201 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45202 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:45213 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45204 <-> DISABLED <-> SERVER-WEBAPP ActiveCalendar css cross site scripting attempt (server-webapp.rules) * 1:45209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules) * 1:45210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules) * 1:45198 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt (server-other.rules) * 1:45221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nautilus outbound call (malware-cnc.rules) * 1:45219 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt (server-webapp.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:45203 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:45212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45205 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules) * 1:45207 <-> DISABLED <-> PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt (protocol-scada.rules) * 1:45199 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45200 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45218 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt (server-webapp.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 3:45216 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules) * 3:45217 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules) * 3:45220 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0507 attack attempt (server-other.rules) * 3:45222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules) * 3:45223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)
* 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules) * 1:39106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection (malware-cnc.rules) * 1:31325 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules) * 1:39107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection (malware-cnc.rules) * 1:31513 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:17363 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules) * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45198 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt (server-other.rules) * 1:45207 <-> DISABLED <-> PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt (protocol-scada.rules) * 1:45199 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules) * 1:45200 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:45204 <-> DISABLED <-> SERVER-WEBAPP ActiveCalendar css cross site scripting attempt (server-webapp.rules) * 1:45218 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt (server-webapp.rules) * 1:45213 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45202 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:45208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules) * 1:45201 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45205 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules) * 1:45210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45219 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt (server-webapp.rules) * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nautilus outbound call (malware-cnc.rules) * 1:45211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules) * 1:45203 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 3:45216 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules) * 3:45217 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules) * 3:45220 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0507 attack attempt (server-other.rules) * 3:45222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules) * 3:45223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)
* 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:31513 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules) * 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:39107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection (malware-cnc.rules) * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:39106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection (malware-cnc.rules) * 1:31325 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules) * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules) * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules) * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules) * 1:17363 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules) * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
