The VRT has added and modified multiple rules in the blacklist, file-flash, file-office, file-other, malware-backdoor, malware-cnc, os-other and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32095 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt (file-office.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules) * 1:32070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules) * 1:32074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot payload download attempt (malware-cnc.rules) * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection attempt (malware-cnc.rules) * 1:32072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot configuration download attempt (malware-cnc.rules) * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection attempt (malware-cnc.rules) * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection attempt (malware-cnc.rules) * 1:32094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt (file-office.rules) * 1:32097 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:32098 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection attempt (malware-cnc.rules) * 1:32076 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu (blacklist.rules) * 1:32080 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules) * 1:32079 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu (blacklist.rules) * 1:32081 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules) * 1:32082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules) * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules) * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules) * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules) * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection attempt (malware-cnc.rules) * 1:32087 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32088 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32069 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules) * 1:32089 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection attempt (malware-cnc.rules) * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection attempt (malware-cnc.rules) * 1:32092 <-> DISABLED <-> POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt (policy-other.rules) * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection attempt (malware-cnc.rules)
* 1:16053 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25582 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot payload download attempt (malware-cnc.rules) * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection attempt (malware-cnc.rules) * 1:32072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot configuration download attempt (malware-cnc.rules) * 1:32070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules) * 1:32069 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules) * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection attempt (malware-cnc.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules) * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection attempt (malware-cnc.rules) * 1:32076 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32079 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu (blacklist.rules) * 1:32078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu (blacklist.rules) * 1:32080 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules) * 1:32081 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules) * 1:32082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules) * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules) * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules) * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules) * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection attempt (malware-cnc.rules) * 1:32087 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32088 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32089 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection attempt (malware-cnc.rules) * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection attempt (malware-cnc.rules) * 1:32098 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:32097 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:32094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt (file-office.rules) * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection attempt (malware-cnc.rules) * 1:32095 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt (file-office.rules) * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection attempt (malware-cnc.rules) * 1:32092 <-> DISABLED <-> POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt (policy-other.rules)
* 1:16053 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25582 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32098 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:32097 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules) * 1:32096 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Puver variant outbound connection attempt (malware-cnc.rules) * 1:32095 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalette Record Memory Corruption attempt (file-office.rules) * 1:32094 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MalformedPalete Record Memory Corruption attempt (file-office.rules) * 1:32093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banker variant outbound connection attempt (malware-cnc.rules) * 1:32092 <-> DISABLED <-> POLICY-OTHER ManageEngine DeviceExpert user credentials enumeration attempt (policy-other.rules) * 1:32091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection attempt (malware-cnc.rules) * 1:32090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Saaglup variant outbound connection attempt (malware-cnc.rules) * 1:32089 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32088 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32087 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:32086 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Corkow variant outbound connection attempt (malware-cnc.rules) * 1:32085 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules) * 1:32084 <-> ENABLED <-> SERVER-OTHER HP Network Node Manager ovopi.dll stack buffer overflow attempt (server-other.rules) * 1:32083 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed file format parsing code execution attempt (file-office.rules) * 1:32082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed Filter Records Handling Code Execution attempt (file-office.rules) * 1:32081 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules) * 1:32080 <-> ENABLED <-> MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection (malware-backdoor.rules) * 1:32079 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ns01.us - Linux.Backdoor.Starysu (blacklist.rules) * 1:32078 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nova.ddns.us - Linux.Backdoor.Starysu (blacklist.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32076 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 1091 directory traversal attempt (server-other.rules) * 1:32075 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Small variant outbound connection attempt (malware-cnc.rules) * 1:32074 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot payload download attempt (malware-cnc.rules) * 1:32073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot outbound connection attempt (malware-cnc.rules) * 1:32072 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zemot configuration download attempt (malware-cnc.rules) * 1:32071 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection attempt (malware-cnc.rules) * 1:32070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dalgan variant outbound connection attempt (malware-cnc.rules) * 1:32069 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules) * 1:32068 <-> DISABLED <-> POLICY-OTHER SolarWinds Log and Event Manager default credentials authentication attempt (policy-other.rules)
* 1:16053 <-> DISABLED <-> FILE-OTHER GNU tar PAX extended headers handling overflow attempt (file-other.rules) * 1:25581 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25582 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25583 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25584 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:25585 <-> ENABLED <-> SERVER-OTHER EMC AlphaStor Device Manager command injection attempt (server-other.rules) * 1:32066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules) * 1:32067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Asprox outbound connection attempt (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
