Talos has added and modified multiple rules in the browser-plugins, file-image, file-other, malware-cnc, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules) * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules) * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules) * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules) * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules) * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules) * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (snort3-policy-other.rules) * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules) * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (snort3-file-image.rules) * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (snort3-policy-other.rules) * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules) * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (snort3-server-other.rules) * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (snort3-server-other.rules) * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules) * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (snort3-malware-cnc.rules) * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (snort3-browser-plugins.rules) * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules) * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules) * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules) * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (snort3-policy-other.rules) * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (snort3-file-image.rules) * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules) * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules) * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules) * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules) * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (snort3-malware-cnc.rules) * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules) * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules) * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules) * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules) * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules) * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules) * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules) * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules) * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules) * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules) * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules) * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules) * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules) * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
