The Sourcefire VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-other, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31085 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules) * 1:31086 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules) * 1:31082 <-> DISABLED <-> SERVER-OTHER Vino VNC multiple client authentication denial of service attempt (server-other.rules) * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules) * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31087 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules) * 1:31088 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules) * 1:31089 <-> ENABLED <-> PUA-ADWARE Win.Adware.CloseApp variant outbound connection (pua-adware.rules) * 1:31093 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request (deleted.rules) * 1:31083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bexelets variant outbound connection (malware-cnc.rules) * 1:31090 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent hello crazyk (blacklist.rules) * 1:31091 <-> DISABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules) * 1:31092 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure (deleted.rules)
* 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31085 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules) * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules) * 1:31086 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules) * 1:31087 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules) * 1:31088 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules) * 1:31089 <-> ENABLED <-> PUA-ADWARE Win.Adware.CloseApp variant outbound connection (pua-adware.rules) * 1:31090 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent hello crazyk (blacklist.rules) * 1:31091 <-> DISABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules) * 1:31083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bexelets variant outbound connection (malware-cnc.rules) * 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31092 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure (deleted.rules) * 1:31082 <-> DISABLED <-> SERVER-OTHER Vino VNC multiple client authentication denial of service attempt (server-other.rules) * 1:31093 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request (deleted.rules)
* 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31094 <-> ENABLED <-> SERVER-WEBAPP Web Terria remote command execution attempt (server-webapp.rules) * 1:31093 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound Oracle Java request (deleted.rules) * 1:31092 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit outbound URL structure (deleted.rules) * 1:31091 <-> DISABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules) * 1:31090 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent hello crazyk (blacklist.rules) * 1:31089 <-> ENABLED <-> PUA-ADWARE Win.Adware.CloseApp variant outbound connection (pua-adware.rules) * 1:31088 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules) * 1:31087 <-> DISABLED <-> FILE-OTHER Sophos RAR virtual machine filters memory corruption attempt (file-other.rules) * 1:31086 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules) * 1:31085 <-> DISABLED <-> FILE-OTHER Autodesk AutoCAD insecure acad.fas file load attempt (file-other.rules) * 1:31084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot variant outbound connection attempt (malware-cnc.rules) * 1:31083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bexelets variant outbound connection (malware-cnc.rules) * 1:31082 <-> DISABLED <-> SERVER-OTHER Vino VNC multiple client authentication denial of service attempt (server-other.rules)
* 1:29443 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
