The VRT has added and modified multiple rules in the blacklist, file-flash, file-office, file-other, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31821 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules) * 1:31819 <-> DISABLED <-> SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt (server-webapp.rules) * 1:31815 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor (blacklist.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound communication (malware-cnc.rules) * 1:31844 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2 (file-office.rules) * 1:31842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1 (file-office.rules) * 1:31841 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31816 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor (blacklist.rules) * 1:31817 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG (malware-other.rules) * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules) * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection attempt (malware-cnc.rules) * 1:31822 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules) * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules) * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection attempt (malware-cnc.rules) * 1:31825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf (blacklist.rules) * 1:31826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant HTTP Response (malware-cnc.rules) * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection attempt (malware-cnc.rules) * 1:31828 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection (malware-cnc.rules) * 1:31829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt (blacklist.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31845 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3 (file-office.rules) * 1:31832 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pfinet outbound communication (malware-cnc.rules) * 1:31833 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chkbot outbound communication (malware-cnc.rules) * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbout connection attempt (malware-cnc.rules) * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection attempt (malware-cnc.rules) * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection attempt (malware-cnc.rules) * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection attempt (malware-cnc.rules) * 1:31840 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:31839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
* 1:10111 <-> DISABLED <-> MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection (malware-backdoor.rules) * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules) * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules) * 1:31459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jaktinier outbound communication (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound communication (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:31816 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor (blacklist.rules) * 1:31815 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor (blacklist.rules) * 1:31817 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG (malware-other.rules) * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules) * 1:31819 <-> DISABLED <-> SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt (server-webapp.rules) * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection attempt (malware-cnc.rules) * 1:31821 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules) * 1:31822 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules) * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules) * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection attempt (malware-cnc.rules) * 1:31825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf (blacklist.rules) * 1:31826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant HTTP Response (malware-cnc.rules) * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection attempt (malware-cnc.rules) * 1:31828 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection (malware-cnc.rules) * 1:31829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt (blacklist.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31832 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pfinet outbound communication (malware-cnc.rules) * 1:31833 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chkbot outbound communication (malware-cnc.rules) * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbout connection attempt (malware-cnc.rules) * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection attempt (malware-cnc.rules) * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection attempt (malware-cnc.rules) * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection attempt (malware-cnc.rules) * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31845 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3 (file-office.rules) * 1:31844 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2 (file-office.rules) * 1:31841 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1 (file-office.rules) * 1:31842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31840 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules)
* 1:10111 <-> DISABLED <-> MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection (malware-backdoor.rules) * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules) * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules) * 1:31459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jaktinier outbound communication (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31846 <-> DISABLED <-> POLICY-OTHER HP Universal CMDB default credentials authentication attempt (policy-other.rules) * 1:31845 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 3 (file-office.rules) * 1:31844 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 2 (file-office.rules) * 1:31843 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format unexpected field type memory corruption attempt 1 (file-office.rules) * 1:31842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31841 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31840 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player local-with-file-access security bypass attempt (file-flash.rules) * 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:31837 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retgate variant outbound connection attempt (malware-cnc.rules) * 1:31836 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection attempt (malware-cnc.rules) * 1:31835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yesudac variant outbound connection attempt (malware-cnc.rules) * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbout connection attempt (malware-cnc.rules) * 1:31833 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chkbot outbound communication (malware-cnc.rules) * 1:31832 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pfinet outbound communication (malware-cnc.rules) * 1:31831 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31830 <-> ENABLED <-> POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt (policy-other.rules) * 1:31829 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt (blacklist.rules) * 1:31828 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection (malware-cnc.rules) * 1:31827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant outbound connection attempt (malware-cnc.rules) * 1:31826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Delf variant HTTP Response (malware-cnc.rules) * 1:31825 <-> ENABLED <-> BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf (blacklist.rules) * 1:31824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection attempt (malware-cnc.rules) * 1:31823 <-> ENABLED <-> SERVER-WEBAPP AlienVault OSSIM remote_task command injection attempt (server-webapp.rules) * 1:31822 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules) * 1:31821 <-> DISABLED <-> FILE-OTHER Mozilla products clipPath element stroke-width buffer overflow attempt (file-other.rules) * 1:31820 <-> ENABLED <-> MALWARE-CNC Win.Banker.Delf variant outbound connection attempt (malware-cnc.rules) * 1:31819 <-> DISABLED <-> SERVER-WEBAPP HP Network Virtualization toServerObject directory traversal attempt (server-webapp.rules) * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules) * 1:31817 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG (malware-other.rules) * 1:31816 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yuzhanqiu1990.3322.org - Win.Trojan.Graftor (blacklist.rules) * 1:31815 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.ltp666.com - Win.Trojan.Graftor (blacklist.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound communication (malware-cnc.rules)
* 1:10111 <-> DISABLED <-> MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection (malware-backdoor.rules) * 1:31360 <-> DISABLED <-> SERVER-WEBAPP PHP include parameter remote file include attempt (server-webapp.rules) * 1:31377 <-> DISABLED <-> SERVER-WEBAPP PHP includedir parameter remote file include attempt (server-webapp.rules) * 1:31459 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jaktinier outbound communication (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
