Talos has added and modified multiple rules in the deleted, file-image, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules) * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules) * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules) * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
* 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules) * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules) * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
* 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (snort3-server-webapp.rules) * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (snort3-server-webapp.rules) * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (snort3-malware-other.rules) * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (snort3-malware-cnc.rules) * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (snort3-deleted.rules) * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (snort3-malware-other.rules) * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (snort3-file-image.rules) * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (snort3-malware-other.rules) * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (snort3-server-webapp.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (snort3-malware-other.rules) * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules) * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (snort3-server-webapp.rules) * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (snort3-malware-cnc.rules) * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules) * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (snort3-malware-other.rules) * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (snort3-file-image.rules) * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (snort3-malware-cnc.rules)
* 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (snort3-server-webapp.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (snort3-malware-cnc.rules) * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (snort3-pua-toolbars.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules) * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules) * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules) * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
* 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47876 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47875 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF ALPHABLEND heap overflow attempt (file-image.rules) * 1:47873 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47872 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47871 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47870 <-> ENABLED <-> MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script (malware-other.rules) * 1:47869 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47868 <-> ENABLED <-> MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable (malware-other.rules) * 1:47867 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47866 <-> ENABLED <-> MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation (malware-other.rules) * 1:47865 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47864 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47863 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console test_rancid_connection command injection attempt (server-webapp.rules) * 1:47862 <-> DISABLED <-> DELETED SERVER-WEBAPP SonicWall GMS XML set_time_config command injection attempt (deleted.rules) * 1:47861 <-> DISABLED <-> SERVER-WEBAPP Opsview Web Management Console testnotification command injection attempt (server-webapp.rules) * 1:47877 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected (malware-cnc.rules) * 1:47860 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 3:47878 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules) * 3:47879 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player stack buffer overflow attempt (file-other.rules)
* 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:46482 <-> ENABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:44889 <-> ENABLED <-> PUA-TOOLBARS WidgiToolbar toolbar runtime detection (pua-toolbars.rules) * 1:39743 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall GMS set_time_config XMLRPC method command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
