Talos has added and modified multiple rules in the browser-chrome, browser-webkit, indicator-compromise, malware-cnc, os-mobile, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (snort3-server-webapp.rules) * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (snort3-browser-chrome.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (snort3-browser-webkit.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (snort3-indicator-compromise.rules) * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (snort3-browser-chrome.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (snort3-browser-chrome.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (snort3-browser-webkit.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (snort3-malware-cnc.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (snort3-server-webapp.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (snort3-browser-chrome.rules)
* 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (snort3-protocol-voip.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (snort3-malware-cnc.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (snort3-protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules) * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules) * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules) * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules) * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules) * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules) * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)
* 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules) * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
