The VRT has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31613 <-> ENABLED <-> FILE-PDF Adobe Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31612 <-> ENABLED <-> FILE-PDF Adobe Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31587 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XDP encoded download attempt (file-pdf.rules) * 1:31602 <-> ENABLED <-> BLACKLIST DNS request for known malware domain casion-onlinepokies.com - Win.Trojan.Glupteba (blacklist.rules) * 1:31600 <-> ENABLED <-> BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (blacklist.rules) * 1:31601 <-> ENABLED <-> BLACKLIST DNS request for known malware domain .bayandovmeci.com - Win.Trojan.Glupteba (blacklist.rules) * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted obfuscated use after free attempt (browser-chrome.rules) * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted obfuscated use after free attempt (browser-chrome.rules) * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules) * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules) * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules) * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules) * 1:31592 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:31593 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.SMSSend outbound connection attempt (malware-cnc.rules) * 1:31590 <-> DISABLED <-> PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt (protocol-services.rules) * 1:31591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:31588 <-> DISABLED <-> SERVER-WEBAPP D-Link Multiple Products hedwig.cgi cookie buffer overflow attempt (server-webapp.rules) * 1:31589 <-> DISABLED <-> PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt (protocol-services.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba payload download request (malware-cnc.rules) * 1:31608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules)
* 1:18482 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba payload download request (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31602 <-> ENABLED <-> BLACKLIST DNS request for known malware domain casion-onlinepokies.com - Win.Trojan.Glupteba (blacklist.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31600 <-> ENABLED <-> BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (blacklist.rules) * 1:31601 <-> ENABLED <-> BLACKLIST DNS request for known malware domain .bayandovmeci.com - Win.Trojan.Glupteba (blacklist.rules) * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted obfuscated use after free attempt (browser-chrome.rules) * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted obfuscated use after free attempt (browser-chrome.rules) * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules) * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules) * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules) * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules) * 1:31593 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.SMSSend outbound connection attempt (malware-cnc.rules) * 1:31592 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:31590 <-> DISABLED <-> PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt (protocol-services.rules) * 1:31591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:31588 <-> DISABLED <-> SERVER-WEBAPP D-Link Multiple Products hedwig.cgi cookie buffer overflow attempt (server-webapp.rules) * 1:31589 <-> DISABLED <-> PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt (protocol-services.rules) * 1:31587 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XDP encoded download attempt (file-pdf.rules) * 1:31613 <-> ENABLED <-> FILE-PDF Adobe Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31612 <-> ENABLED <-> FILE-PDF Adobe Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules)
* 1:18482 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31613 <-> ENABLED <-> FILE-PDF Adobe Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31612 <-> ENABLED <-> FILE-PDF Adobe Reader embedded PRC stream NULL dereference denial of service attempt (file-pdf.rules) * 1:31611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer cloneNode for loop remote code execution attempt (browser-ie.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba payload download request (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31602 <-> ENABLED <-> BLACKLIST DNS request for known malware domain casion-onlinepokies.com - Win.Trojan.Glupteba (blacklist.rules) * 1:31601 <-> ENABLED <-> BLACKLIST DNS request for known malware domain .bayandovmeci.com - Win.Trojan.Glupteba (blacklist.rules) * 1:31600 <-> ENABLED <-> BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba (blacklist.rules) * 1:31599 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted obfuscated use after free attempt (browser-chrome.rules) * 1:31598 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted obfuscated use after free attempt (browser-chrome.rules) * 1:31597 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules) * 1:31596 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted embed use after free attempt (browser-chrome.rules) * 1:31595 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules) * 1:31594 <-> DISABLED <-> BROWSER-CHROME Google Chrome NotifyInstanceWasDeleted object use after free attempt (browser-chrome.rules) * 1:31593 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.SMSSend outbound connection attempt (malware-cnc.rules) * 1:31592 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:31591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:31590 <-> DISABLED <-> PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt (protocol-services.rules) * 1:31589 <-> DISABLED <-> PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt (protocol-services.rules) * 1:31588 <-> DISABLED <-> SERVER-WEBAPP D-Link Multiple Products hedwig.cgi cookie buffer overflow attempt (server-webapp.rules) * 1:31587 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XDP encoded download attempt (file-pdf.rules)
* 1:18482 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer History.go method double free corruption attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
