Talos has added and modified multiple rules in the browser-plugins, file-image, file-office, file-other, malware-backdoor and protocol-dns rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules) * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)
* 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules) * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)
* 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (snort3-file-office.rules) * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (snort3-file-other.rules) * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (snort3-file-office.rules) * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (snort3-file-other.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (snort3-file-other.rules) * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (snort3-protocol-dns.rules) * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules)
* 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (snort3-malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules) * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules) * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)
* 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules) * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules) * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules) * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules) * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)
* 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
