Talos has added and modified multiple rules in the indicator-compromise, malware-cnc, os-other, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules) * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules) * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules) * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules) * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules) * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules) * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules) * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules) * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules) * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
* 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (snort3-os-other.rules) * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (snort3-server-webapp.rules) * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (snort3-malware-cnc.rules) * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (snort3-server-webapp.rules) * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules) * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (snort3-malware-cnc.rules) * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (snort3-malware-cnc.rules) * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (snort3-os-other.rules)
* 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (snort3-server-iis.rules) * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules) * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules) * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules) * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules) * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules) * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules) * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules) * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules) * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules) * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules) * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
* 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules) * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules) * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules) * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules) * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules) * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules) * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules) * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules) * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
* 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules) * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules) * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules) * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules) * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules) * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules) * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules) * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules) * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules) * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules) * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules) * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules) * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules) * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules) * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules) * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
* 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules) * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
