Talos has added and modified multiple rules in the file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47624 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47618 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Trickbot variant outbound connection (malware-cnc.rules) * 1:47620 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47621 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Princess variant outbound connection attempt (malware-cnc.rules) * 1:47616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt (malware-cnc.rules) * 1:47617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47619 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47626 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47631 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47623 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47629 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47625 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47622 <-> DISABLED <-> SERVER-WEBAPP Piltz PASvisu denial of service attempt (server-webapp.rules) * 1:47628 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 3:47632 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub arbitrary command execution attempt (server-webapp.rules) * 3:47633 <-> ENABLED <-> POLICY-OTHER Accelerite Endpoint Management default credentials login attempt (policy-other.rules)
* 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:46842 <-> ENABLED <-> MALWARE-CNC GPON botnet outbound communication (malware-cnc.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47625 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47619 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47618 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Trickbot variant outbound connection (malware-cnc.rules) * 1:47622 <-> DISABLED <-> SERVER-WEBAPP Piltz PASvisu denial of service attempt (server-webapp.rules) * 1:47624 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47620 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47623 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47626 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47631 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47628 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47629 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt (malware-cnc.rules) * 1:47621 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Princess variant outbound connection attempt (malware-cnc.rules) * 3:47632 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub arbitrary command execution attempt (server-webapp.rules) * 3:47633 <-> ENABLED <-> POLICY-OTHER Accelerite Endpoint Management default credentials login attempt (policy-other.rules)
* 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:46842 <-> ENABLED <-> MALWARE-CNC GPON botnet outbound communication (malware-cnc.rules) * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47622 <-> DISABLED <-> SERVER-WEBAPP Piltz PASvisu denial of service attempt (snort3-server-webapp.rules) * 1:47631 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (snort3-file-other.rules) * 1:47627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt (snort3-malware-cnc.rules) * 1:47617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (snort3-malware-cnc.rules) * 1:47624 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (snort3-file-pdf.rules) * 1:47626 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (snort3-file-other.rules) * 1:47619 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (snort3-server-webapp.rules) * 1:47628 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (snort3-file-other.rules) * 1:47620 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (snort3-server-webapp.rules) * 1:47616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (snort3-malware-cnc.rules) * 1:47629 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (snort3-file-other.rules) * 1:47625 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (snort3-file-other.rules) * 1:47623 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (snort3-file-pdf.rules) * 1:47621 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Princess variant outbound connection attempt (snort3-malware-cnc.rules) * 1:47618 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Trickbot variant outbound connection (snort3-malware-cnc.rules) * 1:47630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (snort3-file-other.rules)
* 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (snort3-server-webapp.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules) * 1:46842 <-> ENABLED <-> MALWARE-CNC GPON botnet outbound communication (snort3-malware-cnc.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules) * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (snort3-file-pdf.rules) * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47631 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47626 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47625 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47618 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Trickbot variant outbound connection (malware-cnc.rules) * 1:47616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47622 <-> DISABLED <-> SERVER-WEBAPP Piltz PASvisu denial of service attempt (server-webapp.rules) * 1:47627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt (malware-cnc.rules) * 1:47624 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47619 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47620 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47623 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47629 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47628 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47621 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Princess variant outbound connection attempt (malware-cnc.rules) * 3:47632 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub arbitrary command execution attempt (server-webapp.rules) * 3:47633 <-> ENABLED <-> POLICY-OTHER Accelerite Endpoint Management default credentials login attempt (policy-other.rules)
* 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:46842 <-> ENABLED <-> MALWARE-CNC GPON botnet outbound communication (malware-cnc.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 1:47631 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro untrusted pointer dereference attempt (file-other.rules) * 1:47629 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47628 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:47627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt (malware-cnc.rules) * 1:47626 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47625 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader EMF path record out-of-bounds read attempt (file-other.rules) * 1:47624 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47623 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG engine crafted symbol dictionary out-of-bounds read attempt (file-pdf.rules) * 1:47622 <-> DISABLED <-> SERVER-WEBAPP Piltz PASvisu denial of service attempt (server-webapp.rules) * 1:47621 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Princess variant outbound connection attempt (malware-cnc.rules) * 1:47620 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47619 <-> DISABLED <-> SERVER-WEBAPP Symfony HttpFoundation component potential security bypass attempt (server-webapp.rules) * 1:47618 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Trickbot variant outbound connection (malware-cnc.rules) * 1:47617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant download (malware-cnc.rules) * 3:47632 <-> ENABLED <-> SERVER-WEBAPP Cogent DataHub arbitrary command execution attempt (server-webapp.rules) * 3:47633 <-> ENABLED <-> POLICY-OTHER Accelerite Endpoint Management default credentials login attempt (policy-other.rules)
* 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:46842 <-> ENABLED <-> MALWARE-CNC GPON botnet outbound communication (malware-cnc.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
