Talos has added and modified multiple rules in the file-java, file-office, file-other, file-pdf, malware-cnc, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49248 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49249 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49243 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49256 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49247 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49242 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49250 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49255 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 1:49251 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49246 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49244 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 3:49240 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Assurance unauthorized access attempt (server-webapp.rules) * 3:49237 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules) * 3:49239 <-> ENABLED <-> SERVER-WEBAPP Exhibitor for ZooKeeper javaEnvironment command injection attempt (server-webapp.rules) * 3:49238 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules) * 3:49241 <-> ENABLED <-> PROTOCOL-TFTP Read Request directory traversal attempt (protocol-tftp.rules)
* 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules) * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules) * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49249 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49250 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49251 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49248 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49256 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49255 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49242 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49246 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49247 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:49243 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49244 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 1:49245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 3:49241 <-> ENABLED <-> PROTOCOL-TFTP Read Request directory traversal attempt (protocol-tftp.rules) * 3:49240 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Assurance unauthorized access attempt (server-webapp.rules) * 3:49239 <-> ENABLED <-> SERVER-WEBAPP Exhibitor for ZooKeeper javaEnvironment command injection attempt (server-webapp.rules) * 3:49238 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules) * 3:49237 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules)
* 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules) * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules) * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (snort3-file-other.rules) * 1:49250 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (snort3-file-pdf.rules) * 1:49246 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (snort3-file-other.rules) * 1:49249 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (snort3-server-webapp.rules) * 1:49251 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (snort3-file-pdf.rules) * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules) * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules) * 1:49255 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (snort3-file-java.rules) * 1:49256 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (snort3-file-java.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (snort3-server-other.rules) * 1:49244 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (snort3-file-other.rules) * 1:49243 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (snort3-file-other.rules) * 1:49242 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (snort3-file-other.rules) * 1:49247 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (snort3-file-other.rules) * 1:49248 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (snort3-server-webapp.rules)
* 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (snort3-malware-cnc.rules) * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (snort3-file-pdf.rules) * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49243 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49246 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49247 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49256 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 1:49244 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 1:49248 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49250 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49251 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49249 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49242 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49255 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 3:49239 <-> ENABLED <-> SERVER-WEBAPP Exhibitor for ZooKeeper javaEnvironment command injection attempt (server-webapp.rules) * 3:49238 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules) * 3:49240 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Assurance unauthorized access attempt (server-webapp.rules) * 3:49241 <-> ENABLED <-> PROTOCOL-TFTP Read Request directory traversal attempt (protocol-tftp.rules) * 3:49237 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules)
* 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules) * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49243 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49242 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing type confusion attempt (file-other.rules) * 1:49256 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49255 <-> ENABLED <-> FILE-JAVA Oracle Java ImagingLib buffer overflow attempt (file-java.rules) * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:49251 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49250 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules) * 1:49249 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49248 <-> DISABLED <-> SERVER-WEBAPP WordPress login reconnaissance attempt (server-webapp.rules) * 1:49247 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49246 <-> ENABLED <-> FILE-OTHER Adobe Acrobat JavaScript engine security bypass attempt (file-other.rules) * 1:49245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 1:49244 <-> DISABLED <-> FILE-OTHER Adobe Acrobat PostScript parsing arbitrary code execution attempt (file-other.rules) * 3:49237 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules) * 3:49238 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0781 attack attempt (file-other.rules) * 3:49239 <-> ENABLED <-> SERVER-WEBAPP Exhibitor for ZooKeeper javaEnvironment command injection attempt (server-webapp.rules) * 3:49240 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Assurance unauthorized access attempt (server-webapp.rules) * 3:49241 <-> ENABLED <-> PROTOCOL-TFTP Read Request directory traversal attempt (protocol-tftp.rules)
* 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules) * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules) * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
