Talos has added and modified multiple rules in the file-flash, file-image, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules) * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
* 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules) * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
* 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules) * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
* 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (snort3-malware-other.rules) * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules) * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (snort3-file-other.rules) * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (snort3-file-other.rules) * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules) * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (snort3-file-flash.rules) * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (snort3-malware-other.rules) * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules) * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules) * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules) * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules) * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules) * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules) * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules) * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules) * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules) * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules) * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules) * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules) * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (snort3-file-flash.rules) * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (snort3-malware-other.rules)
* 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (snort3-file-other.rules) * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules) * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (snort3-file-other.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules) * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
* 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules) * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules) * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules) * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules) * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules) * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules) * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules) * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules) * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules) * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
* 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules) * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules) * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules) * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
