Talos has added and modified multiple rules in the browser-ie, file-executable, file-image, file-office, file-other, file-pdf, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules) * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules) * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules) * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules) * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules) * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
* 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules) * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules) * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules) * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules) * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules) * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules) * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
* 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules) * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules) * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (snort3-file-other.rules) * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (snort3-malware-cnc.rules) * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (snort3-file-pdf.rules) * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (snort3-file-other.rules) * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (snort3-file-pdf.rules) * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (snort3-file-image.rules) * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (snort3-malware-cnc.rules) * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules) * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules) * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (snort3-browser-ie.rules) * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules) * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules) * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (snort3-file-pdf.rules) * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (snort3-malware-cnc.rules) * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules) * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules) * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (snort3-browser-ie.rules) * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules) * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (snort3-file-image.rules) * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (snort3-file-image.rules) * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (snort3-file-image.rules) * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (snort3-file-other.rules) * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (snort3-file-other.rules) * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (snort3-file-other.rules) * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (snort3-malware-cnc.rules) * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules) * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (snort3-file-pdf.rules) * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (snort3-file-other.rules) * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (snort3-file-pdf.rules) * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (snort3-file-pdf.rules) * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules) * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules) * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules) * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules) * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (snort3-malware-other.rules) * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (snort3-malware-cnc.rules) * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules)
* 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules) * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (snort3-file-office.rules) * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules) * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules) * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (snort3-file-office.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules) * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules) * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules) * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules) * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules) * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules) * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules) * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
* 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules) * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules) * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules) * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules) * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules) * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules) * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules) * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules) * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules) * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules) * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules) * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules) * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules) * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules) * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
* 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules) * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
