The VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, file-identify, file-other, malware-backdoor, malware-cnc, malware-other, os-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32267 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules) * 1:32266 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules) * 1:32265 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules) * 1:32264 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules) * 1:32263 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules) * 1:32262 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules) * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules) * 1:32260 <-> ENABLED <-> MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl (malware-other.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:32258 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32257 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32256 <-> ENABLED <-> FILE-OTHER GE Cimplicity bcl file loading external file attempt (file-other.rules) * 1:32255 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32254 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32253 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file download request (file-identify.rules) * 1:32252 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules) * 1:32251 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules) * 1:32250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected (malware-cnc.rules) * 1:32249 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot port bind attempt (malware-backdoor.rules) * 1:32248 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot file edit attempt (malware-backdoor.rules) * 1:32247 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot command execution attempt (malware-backdoor.rules) * 1:32246 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules) * 1:32245 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules) * 1:32244 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules) * 1:32243 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Clemint variant outbound connection (malware-cnc.rules) * 1:32242 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.freetzi.com - WIN.Trojan.Clemint (blacklist.rules) * 1:32241 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.0catch.com - WIN.Trojan.Clemint (blacklist.rules)
* 1:16008 <-> DISABLED <-> OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt (os-windows.rules) * 1:1841 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules) * 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:32041 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules) * 1:32042 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32263 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules) * 1:32265 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules) * 1:32267 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules) * 1:32264 <-> ENABLED <-> BROWSER-IE ActiveX installer broker object sandbox escape attempt (browser-ie.rules) * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules) * 1:32252 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules) * 1:32266 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 out of bounds array access attempt (browser-ie.rules) * 1:32246 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules) * 1:32255 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32257 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32249 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot port bind attempt (malware-backdoor.rules) * 1:32253 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file download request (file-identify.rules) * 1:32248 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot file edit attempt (malware-backdoor.rules) * 1:32247 <-> ENABLED <-> MALWARE-BACKDOOR PHP IRCBot command execution attempt (malware-backdoor.rules) * 1:32245 <-> ENABLED <-> SERVER-OTHER Samsung iPOLiS device manager possible FindConfigChildeKeyList buffer overflow attempt (server-other.rules) * 1:32254 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32244 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules) * 1:32251 <-> ENABLED <-> FILE-IDENTIFY Basic Control Engine file attachment detected (file-identify.rules) * 1:32250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected (malware-cnc.rules) * 1:32256 <-> ENABLED <-> FILE-OTHER GE Cimplicity bcl file loading external file attempt (file-other.rules) * 1:32258 <-> ENABLED <-> FILE-OTHER GE Cimplicity CimView load remote file attempt (file-other.rules) * 1:32260 <-> ENABLED <-> MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl (malware-other.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:32241 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.0catch.com - WIN.Trojan.Clemint (blacklist.rules) * 1:32243 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Clemint variant outbound connection (malware-cnc.rules) * 1:32242 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mcclient.freetzi.com - WIN.Trojan.Clemint (blacklist.rules) * 1:32262 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Active X installer broker privilege elevation attempt (browser-ie.rules)
* 1:23836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:31296 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer negative margin use after free attempt (browser-ie.rules) * 1:32042 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules) * 1:1841 <-> DISABLED <-> BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt (browser-firefox.rules) * 1:32041 <-> DISABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules) * 1:16008 <-> DISABLED <-> OS-WINDOWS Multiple Products excessive HTTP 304 Not Modified responses exploit attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
