The VRT has added and modified multiple rules in the exploit-kit, file-identify, file-office, file-other, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ecsudown outbound communication (malware-cnc.rules) * 1:31779 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules) * 1:31766 <-> DISABLED <-> SERVER-OTHER Cougar-LG addr parameter XSS attempt (server-other.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:31778 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules) * 1:31767 <-> DISABLED <-> SERVER-OTHER MRLG fastping echo reply memory corruption attempt (server-other.rules) * 1:31770 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt (exploit-kit.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules) * 1:31777 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules) * 1:31780 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules) * 1:31769 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port (exploit-kit.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
* 1:16519 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules) * 1:16518 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:16517 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules) * 1:16520 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules) * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31780 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules) * 1:31779 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules) * 1:31778 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules) * 1:31777 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:31770 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt (exploit-kit.rules) * 1:31769 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port (exploit-kit.rules) * 1:31768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ecsudown outbound communication (malware-cnc.rules) * 1:31767 <-> DISABLED <-> SERVER-OTHER MRLG fastping echo reply memory corruption attempt (server-other.rules) * 1:31766 <-> DISABLED <-> SERVER-OTHER Cougar-LG addr parameter XSS attempt (server-other.rules)
* 1:16517 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules) * 1:16518 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules) * 1:16519 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules) * 1:16520 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31780 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules) * 1:31777 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31770 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt (exploit-kit.rules) * 1:31768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ecsudown outbound communication (malware-cnc.rules) * 1:31769 <-> ENABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port (exploit-kit.rules) * 1:31766 <-> DISABLED <-> SERVER-OTHER Cougar-LG addr parameter XSS attempt (server-other.rules) * 1:31767 <-> DISABLED <-> SERVER-OTHER MRLG fastping echo reply memory corruption attempt (server-other.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31771 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31778 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules) * 1:31779 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules)
* 1:16517 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing comment overflow attempt (file-other.rules) * 1:16520 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing path overflow attempt (file-other.rules) * 1:16518 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing announce overflow attempt (file-other.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Outlook mailto injection attempt (file-office.rules) * 1:16519 <-> DISABLED <-> FILE-OTHER Free Download Manager .torrent parsing name overflow attempt (file-other.rules) * 3:30890 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30885 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:31451 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified IP phone BVSMWeb portal attack attempt (protocol-voip.rules) * 3:30886 <-> ENABLED <-> PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt (protocol-voip.rules) * 3:30888 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules) * 3:30889 <-> ENABLED <-> PROTOCOL-VOIP Content-Type media type overflow denial of service attempt (protocol-voip.rules) * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
