The VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, file-flash, file-office, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33064 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lifehealthsanfrancisco2015.com (blacklist.rules) * 1:33065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msoutexchange.us (blacklist.rules) * 1:33061 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lagulon.A outbound connection (malware-cnc.rules) * 1:33063 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules) * 1:33060 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant outbound connection (malware-cnc.rules) * 1:33059 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant outbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:33083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocpos information disclosure attempt (malware-cnc.rules) * 1:33098 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33096 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33099 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules) * 1:33095 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33054 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Joanap outbound connection attempt (malware-cnc.rules) * 1:33091 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt (file-flash.rules) * 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules) * 1:33055 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ellismikepage.info (blacklist.rules) * 1:33056 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rpgallerynow.info (blacklist.rules) * 1:33057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dmforever.biz (blacklist.rules) * 1:33092 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt (file-flash.rules) * 1:33093 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt (browser-ie.rules) * 1:33094 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt (browser-ie.rules) * 1:33062 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules) * 1:33066 <-> ENABLED <-> BLACKLIST DNS request for known malware domain junomaat81.us (blacklist.rules) * 1:33067 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outlookscansafe.net (blacklist.rules) * 1:33068 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nickgoodsite.co.uk (blacklist.rules) * 1:33069 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outlookexchange.ne (blacklist.rules) * 1:33070 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33071 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33072 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33073 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33074 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33075 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33076 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33078 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33079 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33080 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33081 <-> ENABLED <-> MALWARE-CNC OnionDuke variant outbound connection attempt (malware-cnc.rules) * 1:33082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocpos initial outbound connection (malware-cnc.rules) * 1:33084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tosct variant outbound connection attempt (malware-cnc.rules) * 1:33087 <-> DISABLED <-> FILE-PDF Foxit Reader remote query string buffer overflow attempt (file-pdf.rules) * 1:33086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules) * 1:33088 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules) * 1:33077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33097 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33089 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33090 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules)
* 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt (file-flash.rules) * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt (file-flash.rules) * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:18420 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ASnative function remote code execution attempt (file-flash.rules) * 1:18992 <-> DISABLED <-> FILE-FLASH Adobe Flash Player content parsing execution attempt (file-flash.rules) * 1:32400 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Parama attempted outbound connection (malware-cnc.rules) * 1:18418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript apply function memory corruption attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules) * 1:33055 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ellismikepage.info (blacklist.rules) * 1:33056 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rpgallerynow.info (blacklist.rules) * 1:33057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dmforever.biz (blacklist.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:33059 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant outbound connection (malware-cnc.rules) * 1:33060 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant outbound connection (malware-cnc.rules) * 1:33062 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules) * 1:33061 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lagulon.A outbound connection (malware-cnc.rules) * 1:33063 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules) * 1:33064 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lifehealthsanfrancisco2015.com (blacklist.rules) * 1:33065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msoutexchange.us (blacklist.rules) * 1:33066 <-> ENABLED <-> BLACKLIST DNS request for known malware domain junomaat81.us (blacklist.rules) * 1:33067 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outlookscansafe.net (blacklist.rules) * 1:33068 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nickgoodsite.co.uk (blacklist.rules) * 1:33069 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outlookexchange.ne (blacklist.rules) * 1:33070 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33071 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33072 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33073 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33074 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33075 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33076 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33078 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33079 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33080 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33081 <-> ENABLED <-> MALWARE-CNC OnionDuke variant outbound connection attempt (malware-cnc.rules) * 1:33082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocpos initial outbound connection (malware-cnc.rules) * 1:33083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocpos information disclosure attempt (malware-cnc.rules) * 1:33084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tosct variant outbound connection attempt (malware-cnc.rules) * 1:33085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules) * 1:33086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules) * 1:33087 <-> DISABLED <-> FILE-PDF Foxit Reader remote query string buffer overflow attempt (file-pdf.rules) * 1:33088 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33099 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules) * 1:33098 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33097 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33096 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33095 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33054 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Joanap outbound connection attempt (malware-cnc.rules) * 1:33094 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt (browser-ie.rules) * 1:33091 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt (file-flash.rules) * 1:33092 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt (file-flash.rules) * 1:33093 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt (browser-ie.rules) * 1:33090 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33089 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules)
* 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt (file-flash.rules) * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt (file-flash.rules) * 1:32400 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Parama attempted outbound connection (malware-cnc.rules) * 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:18420 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ASnative function remote code execution attempt (file-flash.rules) * 1:18992 <-> DISABLED <-> FILE-FLASH Adobe Flash Player content parsing execution attempt (file-flash.rules) * 1:18418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript apply function memory corruption attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33099 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules) * 1:33098 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33097 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33096 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33095 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos Use After Free attempt (browser-ie.rules) * 1:33094 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt (browser-ie.rules) * 1:33093 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CInput element user after free attempt (browser-ie.rules) * 1:33092 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt (file-flash.rules) * 1:33091 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FlashUtil memory corruption attempt (file-flash.rules) * 1:33090 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33089 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33088 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox 17 onreadystatechange memory corruption attempt (browser-firefox.rules) * 1:33087 <-> DISABLED <-> FILE-PDF Foxit Reader remote query string buffer overflow attempt (file-pdf.rules) * 1:33086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules) * 1:33085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 10 use after free attempt (browser-ie.rules) * 1:33084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tosct variant outbound connection attempt (malware-cnc.rules) * 1:33083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocpos information disclosure attempt (malware-cnc.rules) * 1:33082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocpos initial outbound connection (malware-cnc.rules) * 1:33081 <-> ENABLED <-> MALWARE-CNC OnionDuke variant outbound connection attempt (malware-cnc.rules) * 1:33080 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33079 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33078 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player pre-compile regex length denial of service attempt (file-flash.rules) * 1:33076 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33075 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33074 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Multiple Products WsDiscoveryServlet directory traversal attempt (server-webapp.rules) * 1:33073 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33072 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33071 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33070 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules) * 1:33069 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outlookexchange.ne (blacklist.rules) * 1:33068 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nickgoodsite.co.uk (blacklist.rules) * 1:33067 <-> ENABLED <-> BLACKLIST DNS request for known malware domain outlookscansafe.net (blacklist.rules) * 1:33066 <-> ENABLED <-> BLACKLIST DNS request for known malware domain junomaat81.us (blacklist.rules) * 1:33065 <-> ENABLED <-> BLACKLIST DNS request for known malware domain msoutexchange.us (blacklist.rules) * 1:33064 <-> ENABLED <-> BLACKLIST DNS request for known malware domain lifehealthsanfrancisco2015.com (blacklist.rules) * 1:33063 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules) * 1:33062 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules) * 1:33061 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lagulon.A outbound connection (malware-cnc.rules) * 1:33060 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant outbound connection (malware-cnc.rules) * 1:33059 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant outbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:33057 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dmforever.biz (blacklist.rules) * 1:33056 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rpgallerynow.info (blacklist.rules) * 1:33055 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ellismikepage.info (blacklist.rules) * 1:33054 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Joanap outbound connection attempt (malware-cnc.rules) * 1:18683 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel file with embedded PDF object (file-office.rules)
* 1:32488 <-> DISABLED <-> INDICATOR-COMPROMISE .com- potentially malicious hostname (indicator-compromise.rules) * 1:32553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt (file-flash.rules) * 1:32552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect codec denial of service attempt (file-flash.rules) * 1:18992 <-> DISABLED <-> FILE-FLASH Adobe Flash Player content parsing execution attempt (file-flash.rules) * 1:32400 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Parama attempted outbound connection (malware-cnc.rules) * 1:18418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript apply function memory corruption attempt (file-flash.rules) * 1:18420 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ASnative function remote code execution attempt (file-flash.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
