The VRT has added and modified multiple rules in the blacklist, file-office, file-pdf, malware-backdoor, malware-cnc, os-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32056 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules) * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32046 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules) * 1:32045 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules) * 1:32065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox inbound connection attempt (malware-cnc.rules) * 1:32047 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules) * 1:32044 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection attempt (malware-cnc.rules) * 1:32049 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules) * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection attempt (malware-cnc.rules) * 1:32051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.xsser.com (blacklist.rules) * 1:32052 <-> ENABLED <-> BLACKLIST User-Agent Xsser mRAT user-agent (blacklist.rules) * 1:32053 <-> ENABLED <-> MALWARE-CNC Xsser mRAT GPS data upload (malware-cnc.rules) * 1:32054 <-> DISABLED <-> MALWARE-CNC Xsser mRAT file upload (malware-cnc.rules) * 1:32055 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection (malware-backdoor.rules) * 1:32057 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules) * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection attempt (malware-cnc.rules) * 1:32060 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta (blacklist.rules) * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection attempt (malware-cnc.rules) * 1:32059 <-> ENABLED <-> PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt (protocol-scada.rules) * 1:32063 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32062 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32064 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
* 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection attempt (malware-cnc.rules) * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection attempt (malware-cnc.rules) * 1:32047 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules) * 1:32045 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules) * 1:32049 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules) * 1:32051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.xsser.com (blacklist.rules) * 1:32052 <-> ENABLED <-> BLACKLIST User-Agent Xsser mRAT user-agent (blacklist.rules) * 1:32053 <-> ENABLED <-> MALWARE-CNC Xsser mRAT GPS data upload (malware-cnc.rules) * 1:32054 <-> DISABLED <-> MALWARE-CNC Xsser mRAT file upload (malware-cnc.rules) * 1:32055 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection (malware-backdoor.rules) * 1:32056 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules) * 1:32057 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules) * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection attempt (malware-cnc.rules) * 1:32059 <-> ENABLED <-> PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt (protocol-scada.rules) * 1:32060 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta (blacklist.rules) * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection attempt (malware-cnc.rules) * 1:32044 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:32046 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules) * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox inbound connection attempt (malware-cnc.rules) * 1:32064 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32063 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32062 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules)
* 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox inbound connection attempt (malware-cnc.rules) * 1:32064 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32063 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32062 <-> ENABLED <-> FILE-OFFICE Microsoft Office .CGM file cell array heap overflow attempt (file-office.rules) * 1:32061 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection attempt (malware-cnc.rules) * 1:32060 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta (blacklist.rules) * 1:32059 <-> ENABLED <-> PROTOCOL-SCADA KingSCADA Alarm Server stack buffer overflow attempt (protocol-scada.rules) * 1:32058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection attempt (malware-cnc.rules) * 1:32057 <-> DISABLED <-> SERVER-WEBAPP ManageEngine multipartRequest servlet directory traversal attempt (server-webapp.rules) * 1:32056 <-> DISABLED <-> SERVER-WEBAPP ManageEngine FileCollector servlet directory traversal attempt (server-webapp.rules) * 1:32055 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection (malware-backdoor.rules) * 1:32054 <-> DISABLED <-> MALWARE-CNC Xsser mRAT file upload (malware-cnc.rules) * 1:32053 <-> ENABLED <-> MALWARE-CNC Xsser mRAT GPS data upload (malware-cnc.rules) * 1:32052 <-> ENABLED <-> BLACKLIST User-Agent Xsser mRAT user-agent (blacklist.rules) * 1:32051 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.xsser.com (blacklist.rules) * 1:32050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection attempt (malware-cnc.rules) * 1:32049 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules) * 1:32048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection attempt (malware-cnc.rules) * 1:32047 <-> ENABLED <-> OS-OTHER Bash CGI nested loops word_lineno denial of service attempt (os-other.rules) * 1:32046 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules) * 1:32045 <-> ENABLED <-> OS-OTHER Bash redir_stack here document handling denial of service attempt (os-other.rules) * 1:32044 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules)
* 1:31838 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt (server-webapp.rules) * 1:31291 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31292 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
