The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-other, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32572 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32570 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32564 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32566 <-> DISABLED <-> POLICY-OTHER SSLv3 CBC client connection attempt (policy-other.rules) * 1:32563 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt (server-webapp.rules) * 1:32567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32571 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32548 <-> DISABLED <-> MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection (malware-cnc.rules) * 1:32549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant (blacklist.rules) * 1:32550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Extant variant outbound connection (malware-cnc.rules) * 1:32551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules) * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules) * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules) * 1:32554 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit landing page detected (exploit-kit.rules) * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules) * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules) * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules) * 1:32558 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32559 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32565 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
* 1:32420 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules) * 1:32404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules) * 1:32406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32407 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules) * 1:32421 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32423 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32570 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32564 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32566 <-> DISABLED <-> POLICY-OTHER SSLv3 CBC client connection attempt (policy-other.rules) * 1:32563 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt (server-webapp.rules) * 1:32567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32571 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32572 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32548 <-> DISABLED <-> MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection (malware-cnc.rules) * 1:32549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant (blacklist.rules) * 1:32550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Extant variant outbound connection (malware-cnc.rules) * 1:32551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules) * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules) * 1:32573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules) * 1:32554 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit landing page detected (exploit-kit.rules) * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules) * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules) * 1:32574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules) * 1:32558 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32559 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32565 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules)
* 1:32423 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules) * 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules) * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules) * 1:32404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules) * 1:32406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32407 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32421 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32420 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32572 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32571 <-> ENABLED <-> FILE-FLASH Adobe Flash Player string concatenation integer overflow attempt (file-flash.rules) * 1:32570 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32569 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF header integer overflow attempt (file-flash.rules) * 1:32566 <-> DISABLED <-> POLICY-OTHER SSLv3 CBC client connection attempt (policy-other.rules) * 1:32565 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32564 <-> ENABLED <-> BROWSER-IE Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32563 <-> DISABLED <-> SERVER-WEBAPP Visual Mining NetCharts arbitrary file upload attempt (server-webapp.rules) * 1:32562 <-> ENABLED <-> FILE-OTHER Oracle Java awt_setPixels out-of-bounds read attempt (file-other.rules) * 1:32561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32559 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32558 <-> ENABLED <-> FILE-FLASH Adobe Flash Player setglobalslot malformed bytecode remote code execution attempt (file-flash.rules) * 1:32557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules) * 1:32556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayoboiz outbound connection attempt (malware-cnc.rules) * 1:32555 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request (exploit-kit.rules) * 1:32554 <-> ENABLED <-> EXPLOIT-KIT Hellspawn exploit kit landing page detected (exploit-kit.rules) * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules) * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash player incorrect codec denial of service attempt (file-flash.rules) * 1:32551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules) * 1:32550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Extant variant outbound connection (malware-cnc.rules) * 1:32549 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sunzestate.com - Win.Trojan.Extant (blacklist.rules) * 1:32548 <-> DISABLED <-> MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection (malware-cnc.rules)
* 1:31818 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral statusUpdate servlet directory traversal attempt (server-webapp.rules) * 1:32369 <-> DISABLED <-> PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt (protocol-icmp.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection attempt (malware-cnc.rules) * 1:32404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32407 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32409 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ECDSA certificate validation bypass attempt (os-windows.rules) * 1:32414 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32417 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:32419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32420 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32421 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SChannel ECDH key exchange heap overflow attempt (os-windows.rules) * 1:32422 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 handshake cookie buffer overflow attempt (os-windows.rules) * 1:32423 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DTLSv1.0 hello verify request out of bounds read attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
