The VRT has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, file-flash, file-office, file-pdf and os-windows rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:32861 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32859 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules) * 1:32873 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules) * 1:32854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Loodir outbound connection (malware-cnc.rules) * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32841 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access (browser-plugins.rules) * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules) * 1:32844 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules) * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32843 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32874 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules) * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules) * 1:32857 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32858 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32860 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32862 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules) * 1:32870 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules) * 1:32871 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:32872 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules)
* 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules) * 1:32695 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32696 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:29644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sdconsent outbound communication (malware-cnc.rules) * 1:17467 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules) * 1:32843 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32844 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules) * 1:32841 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access (browser-plugins.rules) * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Loodir outbound connection (malware-cnc.rules) * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules) * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules) * 1:32857 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32858 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32859 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32860 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32861 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32862 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules) * 1:32874 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules) * 1:32873 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules) * 1:32871 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:32872 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules) * 1:32870 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
* 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32695 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32696 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:29644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sdconsent outbound communication (malware-cnc.rules) * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules) * 1:17467 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32874 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules) * 1:32873 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray crash attempt (file-flash.rules) * 1:32872 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel ObjBiff exploit attempt (file-office.rules) * 1:32871 <-> DISABLED <-> OS-WINDOWS Multiple product mailto uri handling code execution attempt (os-windows.rules) * 1:32870 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules) * 1:32869 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules) * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules) * 1:32866 <-> DISABLED <-> APP-DETECT I2P UPNP query attempt (app-detect.rules) * 1:32865 <-> DISABLED <-> APP-DETECT I2P DNS request attempt (app-detect.rules) * 1:32864 <-> DISABLED <-> APP-DETECT I2P NetBIOS name resolution request attempt (app-detect.rules) * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32862 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32861 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32860 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32859 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32858 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32857 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules) * 1:32856 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules) * 1:32855 <-> DISABLED <-> FILE-PDF Adobe Reader graphics module crash attempt (file-pdf.rules) * 1:32854 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Loodir outbound connection (malware-cnc.rules) * 1:32853 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules) * 1:32852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection attempt (malware-cnc.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32844 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer COleSite ActiveX memory corruption attempt (browser-plugins.rules) * 1:32843 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32842 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules) * 1:32841 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Messenger ActiveX clsid access (browser-plugins.rules) * 1:32840 <-> DISABLED <-> BROWSER-PLUGINS Microsoft IE8 Developer Tool ActiveX clsid access (browser-plugins.rules)
* 1:32789 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32790 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32788 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged JavaScript execution attempt (file-pdf.rules) * 1:32701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32699 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32700 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32695 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:32696 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules) * 1:29644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sdconsent outbound communication (malware-cnc.rules) * 1:32621 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Regin outbound connection attempt (malware-cnc.rules) * 1:17467 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ShellExecute and IE7 snews url handling code execution attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
