Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)
* 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules) * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules) * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)
* 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (snort3-browser-ie.rules) * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (snort3-file-pdf.rules) * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules) * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (snort3-file-pdf.rules) * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (snort3-browser-ie.rules) * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (snort3-file-pdf.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules) * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules) * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (snort3-file-pdf.rules) * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules) * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules) * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (snort3-file-image.rules) * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (snort3-file-image.rules) * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules) * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules) * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (snort3-file-pdf.rules) * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules) * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (snort3-malware-cnc.rules) * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (snort3-file-pdf.rules) * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (snort3-policy-other.rules) * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (snort3-malware-cnc.rules) * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (snort3-server-webapp.rules) * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (snort3-server-webapp.rules)
* 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (snort3-browser-ie.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (snort3-browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (snort3-browser-ie.rules) * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules) * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules) * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (snort3-browser-ie.rules) * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (snort3-browser-ie.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (snort3-indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (snort3-indicator-obfuscation.rules) * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules) * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (snort3-server-samba.rules) * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules) * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules) * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules) * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules) * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules) * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)
* 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules) * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules) * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules) * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules) * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules) * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules) * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)
* 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules) * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules) * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
