Talos has added and modified multiple rules in the file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 1:47697 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 1:47696 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47695 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47701 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules) * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47708 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fallchill variant outbound connection (malware-cnc.rules) * 1:47712 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CloudPortalService.pm command injection attempt (server-webapp.rules) * 3:47715 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47713 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47706 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47710 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47709 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers arbitrary file read attempt (server-webapp.rules) * 3:47714 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47707 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Router information disclosure attempt (server-other.rules) * 3:47711 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47704 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47705 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules)
* 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47708 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fallchill variant outbound connection (malware-cnc.rules) * 1:47695 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47696 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47701 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules) * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47697 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 1:47712 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CloudPortalService.pm command injection attempt (server-webapp.rules) * 1:47700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 3:47710 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47711 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47715 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47705 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47704 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47714 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47713 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:47709 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers arbitrary file read attempt (server-webapp.rules) * 3:47706 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47707 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Router information disclosure attempt (server-other.rules)
* 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47695 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (snort3-malware-cnc.rules) * 1:47697 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (snort3-malware-cnc.rules) * 1:47699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (snort3-file-pdf.rules) * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (snort3-os-windows.rules) * 1:47712 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CloudPortalService.pm command injection attempt (snort3-server-webapp.rules) * 1:47700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (snort3-file-pdf.rules) * 1:47708 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fallchill variant outbound connection (snort3-malware-cnc.rules) * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (snort3-os-windows.rules) * 1:47701 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (snort3-malware-cnc.rules) * 1:47696 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (snort3-malware-cnc.rules)
* 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47712 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CloudPortalService.pm command injection attempt (server-webapp.rules) * 1:47695 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 1:47696 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47708 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fallchill variant outbound connection (malware-cnc.rules) * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47701 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules) * 1:47699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 1:47697 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 3:47710 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47711 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47706 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47707 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Router information disclosure attempt (server-other.rules) * 3:47709 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers arbitrary file read attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:47704 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47705 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47713 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47714 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47715 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)
* 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47699 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 1:47697 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47696 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47695 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload (malware-cnc.rules) * 1:47712 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CloudPortalService.pm command injection attempt (server-webapp.rules) * 1:47708 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fallchill variant outbound connection (malware-cnc.rules) * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules) * 1:47701 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules) * 1:47700 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed data out-of-bounds read attempt (file-pdf.rules) * 3:47713 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47714 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules) * 3:47710 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47711 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Router buffer overflow attempt (server-webapp.rules) * 3:47707 <-> ENABLED <-> SERVER-OTHER Cisco RV Series Router information disclosure attempt (server-other.rules) * 3:47709 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers arbitrary file read attempt (server-webapp.rules) * 3:47706 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47705 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:47704 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:47715 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager command injection attempt (server-webapp.rules)
* 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
