The VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-java, malware-cnc, protocol-ftp and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32238 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32231 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting (browser-ie.rules) * 1:32232 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32233 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32228 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32227 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32219 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldnews247.net - Win.Trojan.Kazy (blacklist.rules) * 1:32220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy download detected (malware-cnc.rules) * 1:32221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy download detected (malware-cnc.rules) * 1:32222 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Liroospu variant outbound connection attempt (malware-cnc.rules) * 1:32234 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32223 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules) * 1:32235 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32224 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules) * 1:32236 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32237 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32229 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection attempt (malware-cnc.rules) * 1:32226 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:32239 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32230 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting (browser-ie.rules)
* 1:3686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Content Advisor memory corruption attempt (browser-ie.rules) * 1:21603 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21604 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21605 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21606 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21602 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:24285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection (malware-cnc.rules) * 1:21600 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21601 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21599 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:1777 <-> DISABLED <-> PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt (protocol-ftp.rules) * 1:16356 <-> DISABLED <-> SERVER-IIS multiple extension code execution attempt (server-iis.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32237 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32238 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32236 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection attempt (malware-cnc.rules) * 1:32226 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32224 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules) * 1:32223 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules) * 1:32221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy download detected (malware-cnc.rules) * 1:32222 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Liroospu variant outbound connection attempt (malware-cnc.rules) * 1:32219 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldnews247.net - Win.Trojan.Kazy (blacklist.rules) * 1:32220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy download detected (malware-cnc.rules) * 1:32228 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32227 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32230 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting (browser-ie.rules) * 1:32229 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32231 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting (browser-ie.rules) * 1:32232 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32233 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32234 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32235 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32239 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
* 1:21606 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:1777 <-> DISABLED <-> PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt (protocol-ftp.rules) * 1:16356 <-> DISABLED <-> SERVER-IIS multiple extension code execution attempt (server-iis.rules) * 1:21602 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21599 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21600 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21601 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21603 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21604 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:3686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Content Advisor memory corruption attempt (browser-ie.rules) * 1:24285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection (malware-cnc.rules) * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:21605 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:32239 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32238 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32237 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32236 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation memory corruption attempt (file-flash.rules) * 1:32235 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32234 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32233 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32232 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:32231 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting (browser-ie.rules) * 1:32230 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer address bar spoofing without scripting (browser-ie.rules) * 1:32229 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32228 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32227 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32226 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:32225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection attempt (malware-cnc.rules) * 1:32224 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules) * 1:32223 <-> DISABLED <-> SERVER-OTHER Firebird database invalid state integer overflow attempt (server-other.rules) * 1:32222 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.MSIL.Liroospu variant outbound connection attempt (malware-cnc.rules) * 1:32221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy download detected (malware-cnc.rules) * 1:32220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy download detected (malware-cnc.rules) * 1:32219 <-> ENABLED <-> BLACKLIST DNS request for known malware domain worldnews247.net - Win.Trojan.Kazy (blacklist.rules)
* 1:16356 <-> DISABLED <-> SERVER-IIS multiple extension code execution attempt (server-iis.rules) * 1:1777 <-> DISABLED <-> PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt (protocol-ftp.rules) * 1:21599 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21600 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21601 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21602 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21603 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21604 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21605 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:21606 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS 6 multiple executable extension access attempt (server-iis.rules) * 1:24285 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nomno variant outbound connection (malware-cnc.rules) * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules) * 1:3686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Content Advisor memory corruption attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
