The VRT has added and modified multiple rules in the blacklist, browser-ie, file-office, malware-cnc, os-windows, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules) * 1:32206 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules) * 1:32200 <-> ENABLED <-> BLACKLIST DNS request for known malware domain somee.com - Win.Trojan.Soaphrish (blacklist.rules) * 1:32201 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tempuri.org - Win.Trojan.Soaphrish (blacklist.rules) * 1:32193 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dubrute variant outbound connection (malware-cnc.rules) * 1:32194 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dubrute variant outbound connection (malware-cnc.rules) * 1:32195 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Palebot variant outbound connection attempt (malware-cnc.rules) * 1:32196 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules) * 1:32197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zerolocker variant outbound connection (malware-cnc.rules) * 1:32198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mujormel outbound communication (malware-cnc.rules) * 1:32199 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 305 directory traversal attempt (server-other.rules) * 1:32202 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soaphrish variant outbound connection (malware-cnc.rules) * 3:32218 <-> ENABLED <-> PROTOCOL-VOIP out of range port specification exploit attempt (protocol-voip.rules) * 3:32207 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32208 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32209 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32210 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32211 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32212 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32217 <-> ENABLED <-> PROTOCOL-VOIP out of range port specification exploit attempt (protocol-voip.rules) * 3:32213 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32214 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32215 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32216 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules)
* 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32147 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:15965 <-> DISABLED <-> OS-WINDOWS Microsoft Explorer long share name buffer overflow attempt (os-windows.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:22052 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules) * 1:29549 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure test_li_connection.php command injection (server-webapp.rules) * 1:32148 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:28880 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 CElement Use After Free exploit attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32206 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules) * 1:32200 <-> ENABLED <-> BLACKLIST DNS request for known malware domain somee.com - Win.Trojan.Soaphrish (blacklist.rules) * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules) * 1:32201 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tempuri.org - Win.Trojan.Soaphrish (blacklist.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32202 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soaphrish variant outbound connection (malware-cnc.rules) * 1:32193 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dubrute variant outbound connection (malware-cnc.rules) * 1:32194 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dubrute variant outbound connection (malware-cnc.rules) * 1:32195 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Palebot variant outbound connection attempt (malware-cnc.rules) * 1:32196 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules) * 1:32197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zerolocker variant outbound connection (malware-cnc.rules) * 1:32198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mujormel outbound communication (malware-cnc.rules) * 1:32199 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 305 directory traversal attempt (server-other.rules) * 3:32218 <-> ENABLED <-> PROTOCOL-VOIP out of range port specification exploit attempt (protocol-voip.rules) * 3:32207 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32208 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32209 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32210 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32211 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32212 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32213 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32214 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32215 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32217 <-> ENABLED <-> PROTOCOL-VOIP out of range port specification exploit attempt (protocol-voip.rules) * 3:32216 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules)
* 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:15965 <-> DISABLED <-> OS-WINDOWS Microsoft Explorer long share name buffer overflow attempt (os-windows.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:22052 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules) * 1:28880 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 CElement Use After Free exploit attempt (browser-ie.rules) * 1:29549 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure test_li_connection.php command injection (server-webapp.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32147 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:32148 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32206 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules) * 1:32205 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32204 <-> DISABLED <-> SERVER-OTHER SSLv3 POODLE CBC padding brute force attempt (server-other.rules) * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules) * 1:32202 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Soaphrish variant outbound connection (malware-cnc.rules) * 1:32201 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tempuri.org - Win.Trojan.Soaphrish (blacklist.rules) * 1:32200 <-> ENABLED <-> BLACKLIST DNS request for known malware domain somee.com - Win.Trojan.Soaphrish (blacklist.rules) * 1:32199 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 305 directory traversal attempt (server-other.rules) * 1:32198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mujormel outbound communication (malware-cnc.rules) * 1:32197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zerolocker variant outbound connection (malware-cnc.rules) * 1:32196 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant outbound connection (malware-cnc.rules) * 1:32195 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Palebot variant outbound connection attempt (malware-cnc.rules) * 1:32194 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dubrute variant outbound connection (malware-cnc.rules) * 1:32193 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dubrute variant outbound connection (malware-cnc.rules) * 3:32207 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32208 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32209 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32210 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32211 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32212 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32213 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32214 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32215 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules) * 3:32218 <-> ENABLED <-> PROTOCOL-VOIP out of range port specification exploit attempt (protocol-voip.rules) * 3:32217 <-> ENABLED <-> PROTOCOL-VOIP out of range port specification exploit attempt (protocol-voip.rules) * 3:32216 <-> ENABLED <-> PROTOCOL-VOIP missing media application format parameter denial-of-service attempt (protocol-voip.rules)
* 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:15965 <-> DISABLED <-> OS-WINDOWS Microsoft Explorer long share name buffer overflow attempt (os-windows.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:22052 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel style record overflow attempt (file-office.rules) * 1:28880 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 8 CElement Use After Free exploit attempt (browser-ie.rules) * 1:29549 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure test_li_connection.php command injection (server-webapp.rules) * 1:32147 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules) * 1:32148 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
