Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-other, browser-webkit, file-multimedia, file-office, indicator-compromise, malware-cnc, malware-other, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules) * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules) * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules) * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules) * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules) * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules) * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
* 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules) * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules) * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules) * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules) * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules) * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules) * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
* 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (snort3-malware-cnc.rules) * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (snort3-browser-chrome.rules) * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (snort3-server-webapp.rules) * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (snort3-malware-other.rules) * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (snort3-server-webapp.rules) * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (snort3-indicator-compromise.rules) * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (snort3-browser-webkit.rules) * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (snort3-browser-webkit.rules) * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (snort3-browser-chrome.rules) * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (snort3-malware-other.rules) * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (snort3-malware-cnc.rules) * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (snort3-malware-cnc.rules) * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (snort3-malware-cnc.rules) * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (snort3-malware-cnc.rules)
* 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules) * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules) * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules) * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules) * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules) * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules) * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
* 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules) * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules) * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules) * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules) * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules) * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules) * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules) * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules) * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules) * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules) * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
* 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules) * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules) * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules) * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
