The VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-office, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection attempt (malware-cnc.rules) * 1:31909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basostab variant outbound connection (malware-cnc.rules) * 1:31910 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection (deleted.rules) * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection attempt (malware-cnc.rules) * 1:31912 <-> DISABLED <-> SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt (server-webapp.rules) * 1:31913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maozhi variant outbound connection (malware-cnc.rules) * 1:31914 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt (server-webapp.rules) * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules) * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa (blacklist.rules) * 1:31918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi (blacklist.rules) * 1:31919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi (blacklist.rules) * 1:31926 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound communication (malware-cnc.rules) * 1:31908 <-> ENABLED <-> BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab (blacklist.rules) * 1:31927 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:31920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi (blacklist.rules) * 1:31921 <-> ENABLED <-> BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi (blacklist.rules) * 1:31922 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi (blacklist.rules) * 1:31923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt (malware-cnc.rules) * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
* 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:29725 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:29726 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:29724 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:29723 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules) * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules) * 1:27945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules) * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:26379 <-> DISABLED <-> SERVER-OTHER Squid proxy Accept-Language denial of service attempt (server-other.rules) * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules) * 1:22077 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules) * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules) * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection attempt (malware-cnc.rules) * 1:31909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basostab variant outbound connection (malware-cnc.rules) * 1:31910 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection (deleted.rules) * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection attempt (malware-cnc.rules) * 1:31912 <-> DISABLED <-> SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt (server-webapp.rules) * 1:31913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maozhi variant outbound connection (malware-cnc.rules) * 1:31914 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt (server-webapp.rules) * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules) * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31926 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound communication (malware-cnc.rules) * 1:31927 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:31908 <-> ENABLED <-> BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab (blacklist.rules) * 1:31917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa (blacklist.rules) * 1:31918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi (blacklist.rules) * 1:31919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi (blacklist.rules) * 1:31920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi (blacklist.rules) * 1:31921 <-> ENABLED <-> BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi (blacklist.rules) * 1:31922 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi (blacklist.rules) * 1:31923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt (malware-cnc.rules) * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules)
* 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:29725 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:29726 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules) * 1:29724 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:29723 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules) * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules) * 1:27945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules) * 1:26379 <-> DISABLED <-> SERVER-OTHER Squid proxy Accept-Language denial of service attempt (server-other.rules) * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules) * 1:22077 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules) * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31927 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:31926 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound communication (malware-cnc.rules) * 1:31924 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules) * 1:31923 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt (malware-cnc.rules) * 1:31922 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi (blacklist.rules) * 1:31921 <-> ENABLED <-> BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi (blacklist.rules) * 1:31920 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi (blacklist.rules) * 1:31919 <-> ENABLED <-> BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi (blacklist.rules) * 1:31918 <-> ENABLED <-> BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi (blacklist.rules) * 1:31917 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa (blacklist.rules) * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules) * 1:31914 <-> DISABLED <-> SERVER-WEBAPP Microsoft ASP.NET null byte injection attempt (server-webapp.rules) * 1:31913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Maozhi variant outbound connection (malware-cnc.rules) * 1:31912 <-> DISABLED <-> SERVER-WEBAPP cPanel 9.01 multiple URI parameters cross site scripting attempt (server-webapp.rules) * 1:31911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection attempt (malware-cnc.rules) * 1:31910 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Kanav variant outbound connection (deleted.rules) * 1:31909 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Basostab variant outbound connection (malware-cnc.rules) * 1:31908 <-> ENABLED <-> BLACKLIST DNS request for known malware domain recoalmeida.gratisphphost.info - Win.Trojan.Basostab (blacklist.rules) * 1:31907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection attempt (malware-cnc.rules)
* 1:29725 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:29726 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:29723 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:29724 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word invalid sprmPNumRM record (file-office.rules) * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:28205 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules) * 1:28206 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2003 macro byte opcode large data structure arbitrary code execution attempt (file-office.rules) * 1:27859 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules) * 1:27945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules) * 1:26379 <-> DISABLED <-> SERVER-OTHER Squid proxy Accept-Language denial of service attempt (server-other.rules) * 1:27858 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed OCXINFO element EoP attempt (file-office.rules) * 1:22077 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ObjectLink invalid wLinkVar2 value attempt (file-office.rules) * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31752 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31751 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook mailto injection attempt (file-office.rules) * 1:31714 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:31713 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:31712 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ragua variant outbound connection (malware-cnc.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 3:30884 <-> ENABLED <-> PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt (protocol-voip.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
