The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-identify, file-office, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tsl.gettrials.com (blacklist.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:32379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baccamun variant outbound connection attempt (malware-cnc.rules) * 1:32394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32389 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request (exploit-kit.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:32395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules) * 1:32377 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules) * 1:32385 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tiptronic.soxx.us - Scarsi Trojan (blacklist.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32387 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit jar file download (exploit-kit.rules) * 1:32388 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:32390 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:32392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adda.lengendport.com (blacklist.rules) * 1:32396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules) * 1:32383 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - connect - Win.Backdoor.Upatre (blacklist.rules) * 1:32382 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:32393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain auty.organiccrap.com (blacklist.rules)
* 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:26389 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules) * 1:11687 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules) * 1:18539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt (browser-ie.rules) * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:32379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baccamun variant outbound connection attempt (malware-cnc.rules) * 1:32382 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules) * 1:32383 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - connect - Win.Backdoor.Upatre (blacklist.rules) * 1:32377 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules) * 1:32385 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tiptronic.soxx.us - Scarsi Trojan (blacklist.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:32387 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit jar file download (exploit-kit.rules) * 1:32388 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:32389 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request (exploit-kit.rules) * 1:32391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tsl.gettrials.com (blacklist.rules) * 1:32390 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:32392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adda.lengendport.com (blacklist.rules) * 1:32393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain auty.organiccrap.com (blacklist.rules) * 1:32394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules) * 1:32396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules)
* 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:26389 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules) * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules) * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules) * 1:18539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt (browser-ie.rules) * 1:11687 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32394 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Orcarat variant outbound connection attempt (malware-cnc.rules) * 1:32393 <-> ENABLED <-> BLACKLIST DNS request for known malware domain auty.organiccrap.com (blacklist.rules) * 1:32392 <-> ENABLED <-> BLACKLIST DNS request for known malware domain adda.lengendport.com (blacklist.rules) * 1:32391 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tsl.gettrials.com (blacklist.rules) * 1:32390 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:32389 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request (exploit-kit.rules) * 1:32388 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:32387 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit jar file download (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:32385 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tiptronic.soxx.us - Scarsi Trojan (blacklist.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32383 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - connect - Win.Backdoor.Upatre (blacklist.rules) * 1:32382 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:32380 <-> ENABLED <-> FILE-IDENTIFY dib file attachment detected (file-identify.rules) * 1:32379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Baccamun variant outbound connection attempt (malware-cnc.rules) * 1:32378 <-> ENABLED <-> FILE-IDENTIFY bmp file attachment detected (file-identify.rules) * 1:32377 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
* 1:32355 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript variable obfuscation (indicator-obfuscation.rules) * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules) * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules) * 1:26389 <-> DISABLED <-> SERVER-OTHER BigAnt Document Service DUPF command arbitrary file upload attempt (server-other.rules) * 1:11687 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules) * 1:18539 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer event handling remote code execution attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
