The VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-firefox, browser-ie, file-office, file-pdf, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules) * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules) * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules) * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules) * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules) * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules) * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules) * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules) * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
* 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules) * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules) * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules) * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules) * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules) * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules) * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules) * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules) * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules) * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules) * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules) * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules) * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules) * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules) * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules) * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules) * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules) * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules) * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
* 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules) * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules) * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules) * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules) * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules) * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules) * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules) * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules) * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules) * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules) * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules) * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules) * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules) * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules) * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules) * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules) * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules) * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules) * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
* 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules) * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules) * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules) * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules) * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules) * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules) * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules) * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules) * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules) * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules) * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules) * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall outbound connection attempt (malware-cnc.rules) * 1:31449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CryptoWall downloader attempt (malware-cnc.rules) * 1:31448 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nofbiatdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mediaocean.home.pl - Win.Trojan.CryptoWall (blacklist.rules) * 1:31446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain maskaradshowdominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain likeyoudominicana.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31444 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dominicanajoker.com - Win.Trojan.CryptoWall (blacklist.rules) * 1:31443 <-> DISABLED <-> SERVER-WEBAPP ActiveState ActivePerl perlIIS.dll server URI buffer overflow attempt (server-webapp.rules) * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules) * 1:31441 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed chart arbitrary code execution attempt (file-office.rules) * 1:31440 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31439 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:31438 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:31437 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:31436 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31435 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB record memory corruption attempt (file-office.rules) * 1:31434 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Section Table Array Buffer Overflow attempt (file-office.rules) * 1:31433 <-> DISABLED <-> MALWARE-CNC MSIL Worm command and control connection (malware-cnc.rules) * 3:31398 <-> ENABLED <-> BAD-TRAFFIC Cisco Unified IP phone BVSMWeb portal attack attempt (bad-traffic.rules)
* 1:19951 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel variant outbound connection (malware-cnc.rules) * 1:19296 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules) * 1:19950 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Defsel inbound connection (malware-cnc.rules) * 1:18656 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe strep overflow attempt (protocol-scada.rules) * 1:18657 <-> DISABLED <-> PROTOCOL-SCADA IGSS dc.exe file execution directory traversal attempt (protocol-scada.rules) * 1:18651 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe report template overflow attempt (protocol-scada.rules) * 1:18654 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe format string attempt (protocol-scada.rules) * 1:18649 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation overflow attempt (protocol-scada.rules) * 1:18648 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file upload/download attempt (protocol-scada.rules) * 1:12281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:12282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules) * 1:12280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML source file memory corruption attempt (browser-ie.rules) * 1:26176 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption attempt (file-office.rules) * 1:23879 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:23880 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Texture Declaration buffer overflow attempt (file-pdf.rules) * 1:21503 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SXDB memory corruption (file-office.rules) * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules) * 1:20030 <-> DISABLED <-> PROTOCOL-SCADA IGSS IGSSDataServer.exe file operation directory traversal attempt (protocol-scada.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
