The VRT has added and modified multiple rules in the blacklist, browser-ie, malware-backdoor, malware-cnc, malware-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31646 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31648 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules) * 1:31647 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules) * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker (blacklist.rules) * 1:31638 <-> DISABLED <-> SERVER-WEBAPP Voodoo Chat index.php remote include path attempt (server-webapp.rules) * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection attempt (malware-cnc.rules) * 1:31650 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules) * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker (blacklist.rules) * 1:31639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus (blacklist.rules) * 1:31649 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31636 <-> DISABLED <-> SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt (server-webapp.rules) * 1:31637 <-> DISABLED <-> SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt (server-webapp.rules) * 1:31645 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules)
* 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules) * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules) * 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules) * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules) * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules) * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:20180 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt (server-webapp.rules) * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:20179 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt (server-webapp.rules) * 1:11837 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker (blacklist.rules) * 1:31638 <-> DISABLED <-> SERVER-WEBAPP Voodoo Chat index.php remote include path attempt (server-webapp.rules) * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker (blacklist.rules) * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31637 <-> DISABLED <-> SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt (server-webapp.rules) * 1:31639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus (blacklist.rules) * 1:31636 <-> DISABLED <-> SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt (server-webapp.rules) * 1:31645 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31647 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules) * 1:31649 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31648 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules) * 1:31650 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules) * 1:31646 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection attempt (malware-cnc.rules)
* 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules) * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules) * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules) * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules) * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules) * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:20179 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt (server-webapp.rules) * 1:20180 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt (server-webapp.rules) * 1:11837 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31650 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules) * 1:31649 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31648 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules) * 1:31647 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox webcm command injection attempt (server-webapp.rules) * 1:31646 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31645 <-> DISABLED <-> BROWSER-IE Internet Explorer 5 XML page object type validation (browser-ie.rules) * 1:31644 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Scarelocker outbound connection attempt (malware-cnc.rules) * 1:31643 <-> ENABLED <-> BLACKLIST DNS request for known malware domain verify-terms.com - Andr.Trojan.Scarelocker (blacklist.rules) * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31640 <-> ENABLED <-> BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker (blacklist.rules) * 1:31639 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus (blacklist.rules) * 1:31638 <-> DISABLED <-> SERVER-WEBAPP Voodoo Chat index.php remote include path attempt (server-webapp.rules) * 1:31637 <-> DISABLED <-> SERVER-WEBAPP Ad Fundum Integrateable News Script remote include path attempt (server-webapp.rules) * 1:31636 <-> DISABLED <-> SERVER-WEBAPP Parallels Plesk Panel HTTP_AUTH_LOGIN SQL injection attempt (server-webapp.rules)
* 1:6317 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - file manager response (malware-backdoor.rules) * 1:6313 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - message response (malware-backdoor.rules) * 1:6315 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - open browser response (malware-backdoor.rules) * 1:26382 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:6311 <-> DISABLED <-> MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted (malware-backdoor.rules) * 1:26380 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:26381 <-> DISABLED <-> MALWARE-OTHER UTF-8 BOM in zip file attachment detected (malware-other.rules) * 1:20180 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe passwd parameter buffer overflow attempt (server-webapp.rules) * 1:21378 <-> DISABLED <-> SERVER-OTHER Novell iPrint attributes-natural-language buffer overflow attempt (server-other.rules) * 1:11837 <-> DISABLED <-> SERVER-MAIL Microsoft Windows Mail file execution attempt (server-mail.rules) * 1:20179 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovlogin.exe userid parameter buffer overflow attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
