Talos has added and modified multiple rules in the file-pdf, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules) * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules) * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)
* 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules) * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
* 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (snort3-malware-cnc.rules) * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (snort3-malware-cnc.rules) * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (snort3-malware-cnc.rules) * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (snort3-malware-tools.rules) * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (snort3-server-other.rules) * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (snort3-malware-tools.rules)
* 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules) * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
* 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules) * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules) * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules)
* 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48502 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48501 <-> ENABLED <-> MALWARE-TOOLS Win.Tool.Delete variant download detected (malware-tools.rules) * 1:48500 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules) * 1:48499 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules) * 1:48498 <-> DISABLED <-> MALWARE-CNC 2nd Stage Oilrig CNC connection attempt (malware-cnc.rules) * 1:48497 <-> DISABLED <-> MALWARE-CNC 4th Stage Oilrig CNC connection attempt (malware-cnc.rules)
* 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
