The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-office, indicator-shellcode, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31759 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules) * 1:31747 <-> DISABLED <-> SERVER-WEBAPP Gitlab ssh key upload command injection attempt (server-webapp.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31746 <-> ENABLED <-> MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt (malware-backdoor.rules) * 1:31763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31761 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31762 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31760 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31741 <-> ENABLED <-> SERVER-OTHER Multi-Router Looking Glass remote command injection attempt (server-other.rules) * 1:31757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:31749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules) * 1:31745 <-> DISABLED <-> SERVER-WEBAPP vTiger CRM install module command injection attempt (server-webapp.rules) * 1:31744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eratoma outbound communication (malware-cnc.rules) * 1:31742 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt (server-webapp.rules) * 1:31743 <-> DISABLED <-> SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt (server-webapp.rules) * 1:31756 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules) * 1:31758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules) * 1:31754 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras (blacklist.rules) * 1:31755 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miras variant outbound connection (malware-cnc.rules) * 1:31752 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:31750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules) * 1:31748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qulkonwi outbound communication (malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound communication attempt (malware-cnc.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)
* 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31614 <-> DISABLED <-> POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt (policy-other.rules) * 1:7872 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Webster HTTP Server uri buffer overflow attempt (server-other.rules) * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31176 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoder shellcode (indicator-shellcode.rules) * 1:30504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:15855 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules) * 1:23060 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:19138 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (server-webapp.rules) * 1:21292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:15691 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules) * 1:15689 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31762 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31760 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31761 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:31744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eratoma outbound communication (malware-cnc.rules) * 1:31745 <-> DISABLED <-> SERVER-WEBAPP vTiger CRM install module command injection attempt (server-webapp.rules) * 1:31742 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt (server-webapp.rules) * 1:31743 <-> DISABLED <-> SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt (server-webapp.rules) * 1:31752 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:31754 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras (blacklist.rules) * 1:31755 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miras variant outbound connection (malware-cnc.rules) * 1:31756 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules) * 1:31741 <-> ENABLED <-> SERVER-OTHER Multi-Router Looking Glass remote command injection attempt (server-other.rules) * 1:31748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qulkonwi outbound communication (malware-cnc.rules) * 1:31750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules) * 1:31747 <-> DISABLED <-> SERVER-WEBAPP Gitlab ssh key upload command injection attempt (server-webapp.rules) * 1:31757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules) * 1:31746 <-> ENABLED <-> MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt (malware-backdoor.rules) * 1:31758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules) * 1:31759 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound communication attempt (malware-cnc.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules)
* 1:7872 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules) * 1:31614 <-> DISABLED <-> POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt (policy-other.rules) * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31176 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Webster HTTP Server uri buffer overflow attempt (server-other.rules) * 1:30504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:23060 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoder shellcode (indicator-shellcode.rules) * 1:19138 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (server-webapp.rules) * 1:21292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:15691 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules) * 1:15855 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules) * 1:15689 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31765 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31764 <-> DISABLED <-> SERVER-OTHER MIT Kerberos KDC TGS request cross-realm referral null pointer dereference denial of service attempt (server-other.rules) * 1:31763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31762 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31761 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31760 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31759 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules) * 1:31758 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules) * 1:31757 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules) * 1:31756 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules) * 1:31755 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Miras variant outbound connection (malware-cnc.rules) * 1:31754 <-> ENABLED <-> BLACKLIST DNS request for known malware domain microsoftca.com - Win.Trojan.Miras (blacklist.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound communication attempt (malware-cnc.rules) * 1:31752 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:31750 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules) * 1:31749 <-> ENABLED <-> FILE-FLASH Adobe Flash Player marshallException through JavaScript XSS attempt (file-flash.rules) * 1:31748 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qulkonwi outbound communication (malware-cnc.rules) * 1:31747 <-> DISABLED <-> SERVER-WEBAPP Gitlab ssh key upload command injection attempt (server-webapp.rules) * 1:31746 <-> ENABLED <-> MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt (malware-backdoor.rules) * 1:31745 <-> DISABLED <-> SERVER-WEBAPP vTiger CRM install module command injection attempt (server-webapp.rules) * 1:31744 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eratoma outbound communication (malware-cnc.rules) * 1:31743 <-> DISABLED <-> SERVER-WEBAPP Wordpress WPTouch file upload remote code execution attempt (server-webapp.rules) * 1:31742 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server admin interface remote code execution attempt (server-webapp.rules) * 1:31741 <-> ENABLED <-> SERVER-OTHER Multi-Router Looking Glass remote command injection attempt (server-other.rules)
* 1:31614 <-> DISABLED <-> POLICY-OTHER Adobe Flash Player possible cross-domain bypass attempt (policy-other.rules) * 1:7872 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX clsid access (browser-plugins.rules) * 1:31178 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31179 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:31177 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:30504 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GetClassObject use after free attempt (browser-ie.rules) * 1:31176 <-> DISABLED <-> SERVER-OTHER GnuTLS Server Hello Session ID heap overflow attempt (server-other.rules) * 1:25634 <-> DISABLED <-> INDICATOR-SHELLCODE unescape encoder shellcode (indicator-shellcode.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Webster HTTP Server uri buffer overflow attempt (server-other.rules) * 1:21292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:23060 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:15855 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Spreadsheet 10.0 ActiveX function call access (browser-plugins.rules) * 1:19138 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM getnnmdata.exe CGI hostname parameter buffer overflow attempt (server-webapp.rules) * 1:15689 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX clsid access (browser-plugins.rules) * 1:15691 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Web Components 11 Spreadsheet ActiveX function call access (browser-plugins.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
