Talos has added and modified multiple rules in the browser-ie, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules) * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules) * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules) * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules) * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules) * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules) * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
* 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules) * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules) * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules) * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules) * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules) * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules) * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules) * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules) * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules) * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules) * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules) * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules) * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules) * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules) * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules) * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules) * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
* 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules) * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules) * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules) * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules) * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules) * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules) * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules) * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules) * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules) * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules) * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules) * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules) * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules) * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (snort3-malware-cnc.rules) * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (snort3-malware-cnc.rules) * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules) * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (snort3-malware-cnc.rules) * 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (snort3-malware-cnc.rules) * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (snort3-malware-cnc.rules) * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
* 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (snort3-malware-cnc.rules) * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (snort3-malware-cnc.rules) * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (snort3-malware-cnc.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (snort3-malware-cnc.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (snort3-malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (snort3-malware-cnc.rules) * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (snort3-malware-backdoor.rules) * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (snort3-malware-backdoor.rules) * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (snort3-malware-cnc.rules) * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (snort3-malware-cnc.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (snort3-malware-cnc.rules) * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (snort3-malware-backdoor.rules) * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (snort3-malware-cnc.rules) * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (snort3-malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules) * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules) * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules) * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules) * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules) * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
* 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules) * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules) * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules) * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules) * 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules) * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules) * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules) * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules) * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules) * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules) * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46747 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qarallax outbound connection (malware-cnc.rules) * 1:46746 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46745 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt (malware-cnc.rules) * 1:46743 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt (malware-cnc.rules) * 1:46742 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper malicious script download attempt (malware-cnc.rules) * 1:46737 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46736 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46735 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 3:46738 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API directory traversal attempt (server-webapp.rules) * 3:46739 <-> ENABLED <-> SERVER-WEBAPP Cisco DNA Center API default login attempt (server-webapp.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46749 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server configuration download attempt (server-other.rules) * 3:46750 <-> ENABLED <-> SERVER-OTHER Cisco Meeting Server user configuration download attempt (server-other.rules)
* 1:25015 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt (malware-backdoor.rules) * 1:16113 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page (malware-cnc.rules) * 1:16112 <-> DISABLED <-> MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server (malware-cnc.rules) * 1:16487 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt (malware-backdoor.rules) * 1:16486 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt (malware-backdoor.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules) * 1:16551 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user agent - malware (malware-cnc.rules) * 1:16368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq variant outbound connection (malware-cnc.rules) * 1:16695 <-> ENABLED <-> MALWARE-CNC Rogue AV download/update (malware-cnc.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:16391 <-> ENABLED <-> MALWARE-CNC Gozi Win.Trojan.connection to C&C (malware-cnc.rules) * 1:16670 <-> ENABLED <-> MALWARE-CNC Koobface worm executable download (malware-cnc.rules) * 1:28541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess Download Headers (malware-cnc.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:16488 <-> ENABLED <-> MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt (malware-backdoor.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 3:45507 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules) * 3:45506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0517 attack attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
