Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-flash, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48257 <-> DISABLED <-> SERVER-WEBAPP Imperva SecureSphere command injection attempt (server-webapp.rules) * 1:48258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48263 <-> ENABLED <-> SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt (server-webapp.rules) * 3:48261 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules) * 3:48262 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules)
* 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules) * 1:17512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:3149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt (browser-ie.rules) * 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:17166 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules) * 1:20279 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules) * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:12183 <-> DISABLED <-> FILE-FLASH Adobe FLV long string script data buffer overflow attempt (file-flash.rules) * 1:16507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48263 <-> ENABLED <-> SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:48257 <-> DISABLED <-> SERVER-WEBAPP Imperva SecureSphere command injection attempt (server-webapp.rules) * 3:48262 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules) * 3:48261 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules)
* 1:17512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:17166 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules) * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules) * 1:3149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt (browser-ie.rules) * 1:16507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt (browser-ie.rules) * 1:12183 <-> DISABLED <-> FILE-FLASH Adobe FLV long string script data buffer overflow attempt (file-flash.rules) * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:20279 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (snort3-malware-cnc.rules) * 1:48260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (snort3-malware-cnc.rules) * 1:48263 <-> ENABLED <-> SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt (snort3-server-webapp.rules) * 1:48259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (snort3-malware-cnc.rules) * 1:48257 <-> DISABLED <-> SERVER-WEBAPP Imperva SecureSphere command injection attempt (snort3-server-webapp.rules)
* 1:20279 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (snort3-browser-ie.rules) * 1:17512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (snort3-browser-ie.rules) * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (snort3-browser-ie.rules) * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (snort3-file-other.rules) * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (snort3-file-other.rules) * 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (snort3-browser-ie.rules) * 1:3149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt (snort3-browser-ie.rules) * 1:17166 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (snort3-browser-firefox.rules) * 1:16507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt (snort3-browser-ie.rules) * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (snort3-browser-ie.rules) * 1:12183 <-> DISABLED <-> FILE-FLASH Adobe FLV long string script data buffer overflow attempt (snort3-file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48257 <-> DISABLED <-> SERVER-WEBAPP Imperva SecureSphere command injection attempt (server-webapp.rules) * 1:48260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48263 <-> ENABLED <-> SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:48259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 3:48261 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules) * 3:48262 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules)
* 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules) * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:3149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt (browser-ie.rules) * 1:17512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:20279 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules) * 1:16507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt (browser-ie.rules) * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:12183 <-> DISABLED <-> FILE-FLASH Adobe FLV long string script data buffer overflow attempt (file-flash.rules) * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:17166 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48257 <-> DISABLED <-> SERVER-WEBAPP Imperva SecureSphere command injection attempt (server-webapp.rules) * 1:48260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48263 <-> ENABLED <-> SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:48258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 3:48261 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules) * 3:48262 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules)
* 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:17166 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules) * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:12183 <-> DISABLED <-> FILE-FLASH Adobe FLV long string script data buffer overflow attempt (file-flash.rules) * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:20279 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules) * 1:17512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:16507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt (browser-ie.rules) * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules) * 1:3149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48263 <-> ENABLED <-> SERVER-WEBAPP Blueimp jQuery File Upload arbitrary PHP file upload attempt (server-webapp.rules) * 1:48260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Octopus outbound connection attempt (malware-cnc.rules) * 1:48257 <-> DISABLED <-> SERVER-WEBAPP Imperva SecureSphere command injection attempt (server-webapp.rules) * 3:48261 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules) * 3:48262 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0703 attack attempt (server-webapp.rules)
* 1:16311 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:17512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules) * 1:17166 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules) * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules) * 1:3149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt (browser-ie.rules) * 1:27583 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:27582 <-> DISABLED <-> FILE-OTHER BitDefender Internet Security script code execution attempt (file-other.rules) * 1:20279 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt (browser-ie.rules) * 1:16310 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 6/7 single line outerHTML invalid reference arbitrary code execution attempt (browser-ie.rules) * 1:16507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange memory corruption attempt (browser-ie.rules) * 1:12183 <-> DISABLED <-> FILE-FLASH Adobe FLV long string script data buffer overflow attempt (file-flash.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
